Description
This vulnerability occurs when user input is not correctly sanitized and the output is not encoded.
Bussines Impact
A successful injection will allow the attacker to send a malicious HTML page to a victim.
Recommendation
Look for HTML elements in the incoming HTTP stream that contains the user input. And simply removes any HTML-syntax substrings (like tags and links) from any user-supplied text.
More Details
OWASP Attack scenario A possible attack scenario is demonstrated below: Attacker discovers injection vulnerability and decides to use an HTML injection attack Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email The user visits the page due to the page being located within a trusted domain The attacker’s injected HTML is rendered and presented to the user asking for a username and password The user enters a username and password, which are both sent to the attackers server
Reference
https://www.imperva.com/learn/application-security/html-injection/