diff --git a/README.md b/README.md
index e6523ba..42aa4b2 100644
--- a/README.md
+++ b/README.md
@@ -4,14 +4,13 @@ Serialize JavaScript
 Serialize JavaScript to a _superset_ of JSON that includes regular expressions, dates and functions.
 
 [![npm Version][npm-badge]][npm]
-[![Dependency Status][david-badge]][david]
 ![Test](https://github.com/yahoo/serialize-javascript/workflows/Test/badge.svg)
 
 ## Overview
 
 The code in this package began its life as an internal module to [express-state][]. To expand its usefulness, it now lives as `serialize-javascript` — an independent package on npm.
 
-You're probably wondering: **What about `JSON.stringify()`!?** We've found that sometimes we need to serialize JavaScript **functions**, **regexps**, **dates**, **sets** or **maps**. A great example is a web app that uses client-side URL routing where the route definitions are regexps that need to be shared from the server to the client. But this module is also great for communicating between node processes.
+You're probably wondering: **What about `JSON.stringify()`!?** We've found that sometimes we need to serialize JavaScript **functions**, **regexps**, **dates**, **sets** or **maps**. A great example is a web app that uses client-side URL routing where the route definitions are regexps that need to be shared from the server to the client.
 
 The string returned from this package's single export function is literal JavaScript which can be saved to a `.js` file, or be embedded into an HTML document by making the content of a `<script>` element.
 
@@ -19,6 +18,13 @@ The string returned from this package's single export function is literal JavaSc
 
 Please note that serialization for ES6 Sets & Maps requires support for `Array.from` (not available in IE or Node < 0.12), or an `Array.from` polyfill.
 
+> [!WARNING]
+> It may be tempting to use this package as a way to pass arbitrary functions into [worker threads][], since you cannot pass them directly via `postMessage()`. However, passing functions between worker threads is not possible in the general case. This package lets you serialize *some* functions, but it has limitations.
+>
+> For instance, if a function references something from outside the function body, it will not run properly if serialized and deserialized. This could include [closed-over variables][] or imports from other packages. For a serialized function to run properly, it must be entirely self-contained.
+>
+> In general, it is not possible to send arbitrary JavaScript to a worker thread, and pretend it's running the same way it would run on the main thread. This package doesn't let you do that.
+
 ## Installation
 
 Install using npm:
@@ -136,8 +142,8 @@ See the [LICENSE file][LICENSE] for license text and copyright information.
 
 [npm]: https://www.npmjs.org/package/serialize-javascript
 [npm-badge]: https://img.shields.io/npm/v/serialize-javascript.svg?style=flat-square
-[david]: https://david-dm.org/yahoo/serialize-javascript
-[david-badge]: https://img.shields.io/david/yahoo/serialize-javascript.svg?style=flat-square
 [express-state]: https://github.com/yahoo/express-state
 [JSON.stringify]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify
 [LICENSE]: https://github.com/yahoo/serialize-javascript/blob/main/LICENSE
+[worker threads]: https://nodejs.org/api/worker_threads.html
+[closed-over variables]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Closures
diff --git a/index.js b/index.js
index e8022a3..8970953 100644
--- a/index.js
+++ b/index.js
@@ -15,6 +15,9 @@ var IS_NATIVE_CODE_REGEXP = /\{\s*\[native code\]\s*\}/g;
 var IS_PURE_FUNCTION = /function.*?\(/;
 var IS_ARROW_FUNCTION = /.*?=>.*?/;
 var UNSAFE_CHARS_REGEXP   = /[<>\/\u2028\u2029]/g;
+// Regex to match </script> and variations (case-insensitive) for XSS protection
+// Matches </script followed by optional whitespace/attributes and >
+var SCRIPT_CLOSE_REGEXP = /<\/script[^>]*>/gi;
 
 var RESERVED_SYMBOLS = ['*', 'async'];
 
@@ -32,6 +35,21 @@ function escapeUnsafeChars(unsafeChar) {
     return ESCAPED_CHARS[unsafeChar];
 }
 
+// Escape function body for XSS protection while preserving arrow function syntax
+function escapeFunctionBody(str) {
+    // Escape </script> sequences and variations (case-insensitive) - the main XSS risk
+    // Matches </script followed by optional whitespace/attributes and >
+    // This must be done first before other replacements
+    str = str.replace(SCRIPT_CLOSE_REGEXP, function(match) {
+        // Escape all <, /, and > characters in the closing script tag
+        return match.replace(/</g, '\\u003C').replace(/\//g, '\\u002F').replace(/>/g, '\\u003E');
+    });
+    // Escape line terminators (these are always unsafe)
+    str = str.replace(/\u2028/g, '\\u2028');
+    str = str.replace(/\u2029/g, '\\u2029');
+    return str;
+}
+
 function generateUID() {
     var bytes = crypto.getRandomValues(new Uint8Array(UID_LENGTH));
     var result = '';
@@ -138,12 +156,18 @@ module.exports = function serialize(obj, options) {
         return value;
     }
 
-    function serializeFunc(fn) {
+    function serializeFunc(fn, options) {
       var serializedFn = fn.toString();
       if (IS_NATIVE_CODE_REGEXP.test(serializedFn)) {
           throw new TypeError('Serializing native function: ' + fn.name);
       }
 
+      // Escape unsafe HTML characters in function body for XSS protection
+      // This must preserve arrow function syntax (=>) while escaping </script>
+      if (options && options.unsafe !== true) {
+          serializedFn = escapeFunctionBody(serializedFn);
+      }
+
       // pure functions, example: {key: function() {}}
       if(IS_PURE_FUNCTION.test(serializedFn)) {
           return serializedFn;
@@ -261,6 +285,6 @@ module.exports = function serialize(obj, options) {
 
         var fn = functions[valueIndex];
 
-        return serializeFunc(fn);
+        return serializeFunc(fn, options);
     });
 }
diff --git a/package-lock.json b/package-lock.json
index 9027c5f..bda5896 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "serialize-javascript",
-  "version": "7.0.0",
+  "version": "7.0.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "serialize-javascript",
-      "version": "7.0.0",
+      "version": "7.0.1",
       "license": "BSD-3-Clause",
       "devDependencies": {
         "benchmark": "^2.1.4"
diff --git a/package.json b/package.json
index fa8a9c7..2a2437c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "serialize-javascript",
-  "version": "7.0.0",
+  "version": "7.0.1",
   "description": "Serialize JavaScript to a superset of JSON that includes regular expressions and functions.",
   "main": "index.js",
   "scripts": {
diff --git a/test/unit/serialize.js b/test/unit/serialize.js
index 62c0eee..f850d6e 100644
--- a/test/unit/serialize.js
+++ b/test/unit/serialize.js
@@ -495,6 +495,80 @@ describe('serialize( obj )', function () {
             strictEqual(serialize(new URL('x:</script>')), 'new URL("x:\\u003C\\u002Fscript\\u003E")');
             strictEqual(eval(serialize(new URL('x:</script>'))).href, 'x:</script>');
         });
+
+        it('should encode unsafe HTML chars in function bodies', function () {
+            function fn() { return '</script>'; }
+            var serialized = serialize(fn);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript\\u003E'), true);
+            strictEqual(serialized.includes('</script>'), false);
+            // Verify the function still works after deserialization
+            var deserialized; eval('deserialized = ' + serialized);
+            strictEqual(typeof deserialized, 'function');
+            strictEqual(deserialized(), '</script>');
+        });
+
+        it('should encode unsafe HTML chars in arrow function bodies', function () {
+            var fn = () => { return '</script>'; };
+            var serialized = serialize(fn);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript\\u003E'), true);
+            strictEqual(serialized.includes('</script>'), false);
+            // Verify the function still works after deserialization
+            var deserialized; eval('deserialized = ' + serialized);
+            strictEqual(typeof deserialized, 'function');
+            strictEqual(deserialized(), '</script>');
+        });
+
+        it('should encode unsafe HTML chars in enhanced literal object methods', function () {
+            var obj = {
+                fn() { return '</script>'; }
+            };
+            var serialized = serialize(obj);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript\\u003E'), true);
+            strictEqual(serialized.includes('</script>'), false);
+            // Verify the function still works after deserialization
+            var deserialized; eval('deserialized = ' + serialized);
+            strictEqual(deserialized.fn(), '</script>');
+        });
+
+        it('should not escape function bodies when unsafe option is true', function () {
+            function fn() { return '</script>'; }
+            var serialized = serialize(fn, {unsafe: true});
+            strictEqual(serialized.includes('</script>'), true);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript\\u003E'), false);
+        });
+
+        it('should encode </script > with space before >', function () {
+            function fn() { return '</script >'; }
+            var serialized = serialize(fn);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript'), true);
+            strictEqual(serialized.includes('</script '), false);
+            // Verify the function still works after deserialization
+            var deserialized; eval('deserialized = ' + serialized);
+            strictEqual(typeof deserialized, 'function');
+            strictEqual(deserialized(), '</script >');
+        });
+
+        it('should encode </script foo> with attributes', function () {
+            function fn() { return '</script foo>'; }
+            var serialized = serialize(fn);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript'), true);
+            strictEqual(serialized.includes('</script '), false);
+            // Verify the function still works after deserialization
+            var deserialized; eval('deserialized = ' + serialized);
+            strictEqual(typeof deserialized, 'function');
+            strictEqual(deserialized(), '</script foo>');
+        });
+
+        it('should encode </script with tab before >', function () {
+            function fn() { return '</script\t>'; }
+            var serialized = serialize(fn);
+            strictEqual(serialized.includes('\\u003C\\u002Fscript'), true);
+            strictEqual(serialized.includes('</script'), false);
+            // Verify the function still works after deserialization
+            var deserialized; eval('deserialized = ' + serialized);
+            strictEqual(typeof deserialized, 'function');
+            strictEqual(deserialized(), '</script\t>');
+        });
     });
 
     describe('options', function () {