HTML Attribute Injection
Description
HTML Attribute Injection occurs when an application fails to properly sanitize user input before inserting it into HTML tag attributes. Unlike Cross-site Scripting (XSS), this vulnerability does not allow injection of arbitrary HTML tags or JavaScript code, but enables attackers to inject new attributes or modify existing attribute values within legitimate HTML tags. This can alter the behavior and appearance of web page elements. Exploitation typically requires social engineering to trick users into interacting with the manipulated page elements.
Remediation
Implement the following security controls to prevent HTML Attribute Injection:
1. Input Validation:
• Validate all user input against a strict allowlist of expected characters and patterns
• Reject input containing HTML metacharacters (quotes, angle brackets, equals signs) when not explicitly required
2. Context-Sensitive Output Encoding:
• Always encode user input before inserting it into HTML attributes
• Use HTML attribute encoding that escapes quotes, angle brackets, and other special characters
Example (Java):
// Use OWASP Java Encoder or similar library
String safeValue = Encode.forHtmlAttribute(userInput);
out.println("<input type='text' value='" + safeValue + "'>");Example (PHP):
// Use htmlspecialchars with ENT_QUOTES flag $safeValue = htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8'); echo "<input type='text' value='$safeValue'>";
3. Use Security Libraries:
• Leverage framework-provided encoding functions or established security libraries (OWASP ESAPI, DOMPurify)
• Avoid manual string concatenation for building HTML output
4. Content Security Policy:
• Implement CSP headers as a defense-in-depth measure to limit potential exploitation