CSP nonce not added to JSON encoded strings containing <script>

[PeterMead]

This is a follow on from #563 which already describes the situation well so I'll just quote the short version.

This PR fixes csp errors caused by

However, #658 changed the level of escaping when JSON encoding so '<script>' becomes '\\u003Cscript\\u003E'.