Skip to content

HTML Injection

What does this mean ?

HTML injection is a method that uses non-validated input to change a web page that a web application displays to its consumers. Attackers use the fact that the content of a web page is frequently tied to previous interactions with users. When programs fail to check user data, an attacker can transmit HTML-formatted text to change the site content that other users see. A well prepared query can result in the insertion of attacker-controlled HTML elements in the web page, altering the way application material is presented to the web.

What can happen ?

It gives an attacker the ability to change the page and steal someone else's identity. When the attacker identifies an injection vulnerability, he or she decides to launch an HTML injection attack. Attacker creates malicious links with his inserted HTML content and distributes them to a victim through email. Visitor views the website because it is placed within a trusted domain. The injected HTML from the attacker is rendered and given to the user, who is then prompted for a login and password. The user provides a username and password, both of which are forwarded to the attacker's server.


There is no question that the attack was mostly the result of the developer's incompetence and lack of understanding. Because the input and output were not validated, this sort of injection attack happened. To prevent such attacks, it is critical to have sufficient data validation in place.

  • Every input should be verified to see whether it includes any script or HTML code. Check to see whether the code has any special script or HTML brackets - script>/script>, html>/html>.
  • There are several functions for determining whether or not the code contains any special brackets. The checking function you use is determined on the programming language you choose.

Sample Code

Vulnerable :

    <h1>Here are the results that matches: </h1>
    <h2></h2>special offer <a>malicious</a><h2></h2>
        <li>Result A