## Next.js Application Security Gap: Missing CSP Header Leaves dangerouslySetInnerHTML Instances Exposed to XSS Exploitation
A significant security gap has been identified in a Next.js application's configuration. While `next.config.ts` implements standard hardening headers including HSTS, X-Frame-Options, and nosniff directives, it lacks a Content-Security-Policy header — the most effective defense against cross-site scripting attacks. Without CSP, any successful injection vulnerability becomes immediately exploitable for session theft and client-side code execution.

The exposure stems from ten separate instances of `dangerouslySetInnerHTML` usage across the codebase. The most critical risk sits in `src/app/search/page.tsx` (lines 1202–1216), where AI narration relies on manual HTML entity escaping followed by a markdown regex application — a pattern that can reintroduce HTML from previously escaped content. Secondary vectors include AI recommendation text rendering in `src/app/experiments/ocr-quality/[id]/results/page.tsx:113` and search result highlighting in `src/components/search/HighlightedText.tsx`. Seven SEO components using `src/components/seo/*.tsx` carry lower risk due to their reliance on JSON.stringify for JSON-LD schema generation.

Security researchers warn that the absence of CSP transforms these code patterns from theoretical risks into actionable attack surfaces. An attacker able to inject malicious markup through the vulnerable search narration path could hijack user sessions, execute arbitrary client-side code, or exfiltrate sensitive data. The proposed remediation involves adding a Content-Security-Policy header to `next.config.ts`, which would enforce strict script origin controls and significantly reduce XSS impact even if injection occurs. Until the header is deployed, the application's client-side attack surface remains elevated.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: content-security-policy, xss, nextjs, dangerouslySetInnerHTML, security-header
- **Credibility**: unverified
- **Published**: 2026-04-24 08:54:09
- **ID**: 76729
- **URL**: https://whisperx.ai/en/intel/76729