Environment

- Operating System: Linux
- Node Version:     v18.20.3
- Nuxt Version:     3.16.0
- CLI Version:      3.23.0
- Nitro Version:    2.11.6
- Package Manager:  [email protected]
- Builder:          -
- User Config:      compatibilityDate, devtools, modules
- Runtime Modules:  [email protected]
- Build Modules:    -

Nuxt Security Version

v2.2.0

Default setup used?

Yes, the bug happens even if the security option is not customized

Security options

Reproduction

• open https://stackblitz.com/edit/nuxt-starter-94vb5abo?file=app.vue,nuxt.config.ts
• it's a default Nuxt project with default nuxt-security config
• in app.vue, the string maliciousUserInput contains two script tags
• this string is used as value for useHead/useHeadSafe link/meta tags

Description

• when nuxt-security is turned off, the script is not executed as it's just a string inside of a meta tag attribute value (<meta property="og:title" content="<script></script><script>alert(1)</script>">). All good.
• but when enabling nuxt-security, it adds nonce attributes which then result in <meta property="og:title" content="<script nonce="xXNuFdmH0kSn/o6NLkUvBI1S"></script><script nonce="xXNuFdmH0kSn/o6NLkUvBI1S">alert(1)</script>">; hence it terminates the content attribute and the script injection is successful. When opening the page, an alert is shown - which should not happen.
• using useHeadSafe only helps partly, it prevents the script injection on the <link> tag but the one in <meta> tag still persists

On first thought, I see two solutions:

1. make nuxt-security nonce logic smarter to not replace <script> inside of attributes
2. adjust useHead/useHeadSafe to encode <> characters so that nuxt-security's logic won't match anymore

What do you think?

Additional context

No response

Logs