HTML Injection Testing

This document is a highly actionable HTML injection testing guide that doubles as an offensive playbook for phishing, credential harvesting, and site defacement. While it contains accurate remediation guidance suitable for defenders, the inclusion of ready-to-use payloads, explicit attacker endpoints, automated testing scripts, and evasion techniques elevates its misuse risk. Treat distribution as sensitive: require authorization for use, replace external endpoints with safe placeholders in demonstrations, and emphasize legal/scope constraints. Remediation advice should be followed by developers to close the described sinks (context-aware encoding, CSP, sanitizers like DOMPurify, input validation, and safe use of innerHTML).