HTML injection is a sort of injection bug that happens when an attacker is able to inject arbitrary HTML code into a vulnerable (unfiltered input) web page. This issue can have many results, such as the disclosure of a victim’s session cookies, or it can enable the attacker to change the page content that seen by many users.
it’s a basic security issue in which data (information like an email address or address or first name) and code (that build the web page, such as the creation of <script> elements) mix in unwanted ways.
This vulnerability is similar to Cross-site Scripting (XSS). Attacker finds an injection vulnerability and determines to use the vulnerability to hack some victims. The attacker will craft malicious link, including his injected HTML code, and send the malicious link to the victim.