When you are developing a web application, you should take into account the html injection.

In general, code injection is (from wikipedia):

Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or “inject”) code into a computer program to change the course of execution.


Imagine you are developing a chat application, you’ll have to provide to the users the capability to send text through a text box, other users will display the received messages.

Imagine the sender of a message types the following text into the text box

<b>Hello</b> world

the receiver will display:

Hello world

so he can modify the style of displayed messages!

let’s try with the following pieces of text:

<a href=”http://mysiteisthebest>Hello World</a>

maybe the sender is a spammer, and we are giving to the spammer the capability to spam using our service!

The sender could also insert more malicious code:


The browser of the receiver could open a new window pointing to bestSite!

Experienced hackers could inject more malicious code!

A way to prevent html injection is to show only parsed text, a simple javascript function to parse text is the following one:

function preventHtmlInjection(textString)
return(textString.replace(/</g, “&lt;”).replace(/>/g, “&gt;”));