I have found way to use XSS, and I haven't found any ways to notify directly dev team about that - the main site sucks.
Steps to reproduce:
1) Install M2 CE with Data, update indexes, flush cache
2) Go to /karissa-v-neck-tee.html
3) Pay attention that meta description have not escaped
4) Go to admin panel and write in meta description field:
5) Update the product page
It's to funny to have a lot of devs, testers, managers but releases bugged Magento version that you developed more than two years and haven't any simple way on your main page to notify you about vulnerability.
I have already reported it 16 days ago:
As I can see your solution covers only case when description is empty, so it still allows injecting scripts directly through meta fields.
IMHO it doesn't have any sense to allow any tags or scripts in these fields, so all this data should be always stripped before save.
And I really don't understand why DEV and TEST teams have been keeping this bug alive for 16 (!) days
Please report any vulnerabilities on: https://bugcrowd.com/magento
Additional security information can be found at: https://magento.com/security