The JSON for data-l10n-args created manually is incorrect:
```html
<button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{ "title": "Resolving Error: "Objects are not valid as a React child"" }" class="context-menu-button icon"></button>
```
Here's the js string value:
{ "title": "Resolving Error: "Objects are not valid as a React child"" }
This particular string injection came from
```js
data-l10n-args={`{ "title": "${title}" }`}
```
https://github.com/mozilla/activity-stream/blob/1effc63a887147b3ef374945c05b830abbb60a1b/content-src/components/Card/Card.jsx#L249
We should make sure we don't allow string injection and make sure to just call stringify. And fix up all places where we do something similar.
Bug 1563127 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The JSON for data-l10n-args created manually is incorrect:
```html
<button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{ "title": "Resolving Error: "Objects are not valid as a React child"" }" class="context-menu-button icon"></button>
```
Here's the js string value:
```
{ "title": "Resolving Error: "Objects are not valid as a React child"" }
```
This particular string injection came from
```js
data-l10n-args={`{ "title": "${title}" }`}
```
https://github.com/mozilla/activity-stream/blob/1effc63a887147b3ef374945c05b830abbb60a1b/content-src/components/Card/Card.jsx#L249
We should make sure we don't allow string injection and make sure to just call stringify. And fix up all places where we do something similar.