HTML Injection (requiring unencoded tag delimiter)

Description

HTML Injection is a vulnerability that allows attackers to inject arbitrary HTML markup into web pages when user-supplied data is not properly validated or encoded. Unlike Cross-Site Scripting (XSS), which enables JavaScript execution, HTML Injection is limited to inserting HTML tags and content. This specific variant requires that the victim's browser or client does not automatically encode tag delimiters (< and >) in query strings, which reduces its severity. Attackers typically exploit this vulnerability through social engineering, crafting malicious links that appear to originate from trusted domains. When victims click these links, the injected HTML renders in their browser, potentially displaying fake login forms, misleading content, or defaced pages that can be used for credential theft or phishing attacks.

Remediation

Implement comprehensive input validation and output encoding to prevent HTML injection:

1. Encode all user-supplied data before rendering it in HTML contexts:

// Java example using OWASP Java Encoder
import org.owasp.encoder.Encode;

String userInput = request.getParameter("input");
String safeOutput = Encode.forHtml(userInput);
response.getWriter().write(safeOutput);

// PHP example
$userInput = $_GET['input'];
$safeOutput = htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
echo $safeOutput;

// JavaScript example (for client-side rendering)
const userInput = new URLSearchParams(window.location.search).get('input');
const div = document.createElement('div');
div.textContent = userInput; // textContent automatically encodes
document.body.appendChild(div);

References

Related Vulnerabilities