#!/usr/bin/env python3
# Disclaimer: For authorized security research and educational use only.
# Do not use this tool on systems you do not own or have explicit written
# permission to test.
"""
GHSA-gx5p-jg67-6x7h -- Next.js next/script beforeInteractive XSS exploit.
Target spec: Next.js < 16.2.5 with any page that forwards user-controlled data
through `... elements elsewhere on the page).
push_idx = body.find(in_script_block)
body_after_push = body[push_idx:] if push_idx != -1 else body
if needle in body_after_push:
print(C.G + C.B + "[+] VULNERABLE -- raw survived to the wire." + C.X)
print(C.G + " The HTML tokenizer terminates the inline next/script element")
print(" and the attacker payload runs as a brand-new