HTML Injection

  • CWE 601
  • WASC 38
  • PCI 3.2-6.5.1
  • OWASP 2017-A1

HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code and inject his/her own content into the page.

If there is also an XSS in the page, it will be reported as a separate vulnerability.


Sanitize user input from metacharacters.