Can an attacker take advantage of HTML tag injection in request parameters?

Say I have a web application that accepts a parameter called "content". Whatever is present in this parameter will be output as a part of the HTML response.

Example JSP code:

<%= request.getParameter("content") %>

I know this is silly and it should be sanitized and so on, but my question is if an attacker can a开发者_StackOverflow中文版ctually take advantage of this? The way I understand it you'd only change the content sent to yourself, so the only one an attacker could hurt is himself? Correct?

Consider the following example:

your.vulnerable.site.com/page.jsp?content=<img src="lol" onerror="javascript('code, that posts the users cookie to the attackers site')" />

Then the attacker creates a link somewhere, and makes it to looks like some important link to your site. There are -of course- several times as clever vectors as this example.

The way I understand it you'd only change the content sent to yourself, so the only one an attacker could hurt is himself?

No.

Its a URL. All the attacker needs to do is get the victim to visit it.

They could link it from their own website, drop it in an email, IM it, etc (and wrap it in a tiny url service to disguise it).

Attacker can produce url with special value in content var and send it to some victim and read his cookies for example.

Definite Yes. At least XSS attack is ready to go ... This is a classic exam of XSS attack target. You should take care and do not display in the html content anything that is coming directly from the client. You on of the many AntiXSS libraries.

There are some examples here, take a look: What is the general concept behind XSS?