Explanation of HTML Injection
HTML Injection is a type of web security vulnerability where an attacker inserts malicious HTML code into a website’s input fields. This injected HTML is then displayed directly on the webpage without proper filtering or sanitisation. Because the malicious code becomes part of the webpage, it can change the page’s appearance or behavior, and sometimes even execute harmful scripts if combined with JavaScript.
Key points:
-
What it is: Inserting unauthorized HTML code into a web application’s input fields.
-
How it happens: When user input is not properly checked or sanitized and is output back to the webpage as raw HTML.
-
Potential impact:
- Altered webpage layout or content
- Defacement (visual changes)
- Possible security risks if combined with JavaScript (leading to Cross-Site Scripting, XSS)
-
Where it occurs: On the client-side, affecting what the user sees and interacts with in their browser.
Example
If a website asks for your name and simply outputs what you typed as HTML without filtering, typing <h1>Hello</h1> could make the page display a large header saying “Hello” instead of just the text.
Summary sentence
HTML Injection allows attackers to insert malicious HTML code into web pages, which can alter the page’s appearance or lead to further security issues.
