HTML Injection

HTML injection is closely related to Cross-Site Scripting but is distinguished by the injection of HTML markup rather than executable scripts. When a web application reflects user input into its HTML responses without proper encoding, an attacker can inject arbitrary HTML elements such as forms, links, images, and formatted text that appear to be part of the legitimate page.

The most common exploitation of HTML injection is phishing within a trusted domain. An attacker can inject a convincing login form into a legitimate page, with the form's action attribute pointing to a server they control. Because the injected content appears on the legitimate domain with valid HTTPS certificates, users are much more likely to trust it and submit their credentials.

HTML injection can also be used for content spoofing, where attackers alter the visible content of a page to spread misinformation, damage reputation, or manipulate users. Injected content can include fake news articles, fraudulent promotions, or misleading information that appears to come from the legitimate site operator.

Prevention mirrors XSS defences: encode all user-supplied data before including it in HTML output, using context-appropriate encoding for HTML body content, attributes, URLs, and CSS. Content Security Policy provides an additional layer of protection. Regular security testing should specifically check for HTML injection in all user-input reflection points, including URL parameters, form fields, HTTP headers, and any other data that appears in the rendered page.