HTML injection enables you to inject HTML elements into a web app for malicious purposes. Like with other forms of injection, you are targeting an input component of the app in order to add code that is valid and will execute if not handled properly by the app. The most common outcome of an HTML injection attack is the modification of a page's contents.

As an example, assume that you are testing a web page with a field for submitting site feedback. The feedback is displayed on the same page after it is submitted for other users to see. This field does not properly sanitize input, so it is vulnerable to HTML injection. In the field, you enter:

I'm trying to sort the products but it's not working. Can anyone help? <a href="http://malice.example">Click here to respond.</a>

When the input is submitted and returned to the page, it will include a link to your malicious site. This is because the web app fails to strip out the HTML tags, so they get added to the page. When a user browses the page, they will see the link and fall victim to your attack if they click it.

HTML injection is also effective when it's used in conjunction with social engineering. You can include the injected code along with a link that you send to a victim in a phishing attempt. For example, a user's profile page might provide a name parameter that displays the user's name. You can place the following URL in a disguised link and send it to the victim:


If the user is logged in and the site is vulnerable, they will see your injected link where their name should be. Note the use of encoded spaces.