Medium Severity | OWASP A03:2021
🟡 HTML Injection
🧠 Description
HTML Injection occurs when user input is reflected in HTML response without proper encoding. Unlike XSS (which injects JavaScript), HTML injection injects HTML tags.
Impact:
- Defacement
- Phishing
- XSS via attribute breakout
💣 Payloads
<h1>Hacked</h1>
<img src=x onerror=alert(1)>
<iframe src="javascript:alert(1)">
"><script>alert(1)</script>
🛡️ Mitigation
✅ HTML encode all user input
✅ Use Content Security Policy
✅ Validate input against allowlist
✅ Use Content Security Policy
✅ Validate input against allowlist