What is HTML injection?
HTML Injection also known as Cross Site Scripting. It is a security vulnerability that allows an attacker to inject HTML code into web pages that are viewed by other users.
Example of HTML injection
First the attacker finds out a site which is vulnerable to HTML injection
Then the attacker sends the URL with malicious code injected in the URL to the victim user either through email or some other mechanism.
Depending on the code being executed it can give out sensitive information of the user or even compromise the victim’s computer.
Avoiding HTML injections?
Web programming best practices should include:
Validation of user input by checking for length, type, format and data range.
Encode any user input that will be output by the application.
Please check the following links for more information.
Tool to check .NET code for XSS vulnerabilities