Do not use JSON_UNESCAPED_SLASHES in format_json_encode() since it may be unsafe in HTML context

[rob006]

Using JSON_UNESCAPED_SLASHES when embedding JSON inside a <script> tag is unsafe because it allows unescaped </script> sequences to appear in the output. HTML parsers terminate <script> tags before JavaScript parsing, even if the sequence appears inside a string literal. This can lead to XSS if any JSON value is user-controlled. The default escaping in json_encode() prevents this and should not be disabled in this context.

While this does not appear to be an issue in the plugin’s default setup, the schema can be altered by filters, and the current JSON encoding settings are a major footgun that can lead to security issues if misused.

Steps to reproduce:

add_filter('wpseo_schema_webpage', static function ($graphPiece) {
	$graphPiece['@id'] = 'https://example.com/?s=</script>';
	$graphPiece['url'] = 'https://example.com/?s=</script>';
	return $graphPiece;
});

Note that https://example.com/?s=</script> is a perfectly valid URL, but </script> in the URL prematurely closes the <script> tag.