HTML injection is a sort of injection bug that happens when an attacker is able to inject arbitrary HTML code into a vulnerable (unfiltered input) web page. This issue can have many results, such as the disclosure of a victim’s session cookies, or it can enable the attacker to change the page content that seen by many users.
it’s a basic security issue in which data (information like an email address or address or first name) and code (that build the web page, such as the creation of <script> elements) mix in unwanted ways.
An XSS attack rewrites the content of a web page or performs arbitrary JavaScript within the user’s web browser. This happens when a website gets some piece of data (text with HTML or JS code) from the user—an e-mail address, a user ID, a comment to a blog post, a status message, etc. and displays this data on a web page. If the site is not filtering the users inputs, then the meaning of the HTML document can be changed by a carefully crafted string.
This vulnerability is similar to Cross-site Scripting (XSS). Attacker finds an injection vulnerability and determines to use the vulnerability to hack some victims. The attacker will craft malicious link, including his injected HTML code, and send the malicious link to the victim.