fix(app-render): HTML-escape bootstrapScriptContent to prevent dev-mode XSS

[tomohiro86]

What?

Applies htmlEscapeJsonString() to the bootstrapScriptContent inline script generated in development server mode, closing a reflected XSS vector via the x-nextjs-request-id request header.

Why?

The GHSA security patch (commit 647d923a3f) fixed the same class of bug — JSON.stringify() without HTML escaping in an inline <script> — in two places:

• packages/next/src/server/app-render/stream-ops.node.ts ✅
• packages/next/src/server/app-render/use-flight-response.tsx ✅

The bootstrapScriptContent assignment in app-render.tsx was missed:

// Before — vulnerable
const bootstrapScriptContent = process.env.__NEXT_DEV_SERVER
  ? `self.__next_r=${JSON.stringify(requestId ?? crypto.randomUUID())}`
  : undefined

requestId comes from the x-nextjs-request-id header (not in INTERNAL_HEADERS). Sending:

X-Nextjs-Request-Id: 0</script><img src=x onerror=alert(origin)>

produces a broken script tag in the HTML output, allowing arbitrary JS execution. Only the dev server is affected — production builds never reach this branch (process.env.__NEXT_DEV_SERVER is undefined).

Related issue: #93732

How?

+ import { htmlEscapeJsonString } from '../../shared/lib/htmlescape'

  const bootstrapScriptContent = process.env.__NEXT_DEV_SERVER
-   ? `self.__next_r=${JSON.stringify(requestId ?? crypto.randomUUID())}`
+   ? `self.__next_r=${htmlEscapeJsonString(JSON.stringify(requestId ?? crypto.randomUUID()))}`
    : undefined

A unit test is added at packages/next/src/server/app-render/bootstrap-script-content.test.ts verifying that a malicious request ID containing </script> is safely escaped and round-trips correctly via JSON.parse.