What does this mean ?
Escaping HTML source code is set to disable on a JSON output; this may lead to stored cross-site scripting vulnerability as the HTML output is returned without escaping it
What can happen ?
it's recommended to enable scaping HTML on a JSON output by seting escape_html_entities_in_json to true
escape_html_entities_in_json = false
Non Vulnerable :
escape_html_entities_in_json = true