Diving Into HTML & My First Encounter With Web Vulnerabilities

Today was a big day.
I didn’t just learn what a <p>
tag is. I learned that websites, the things we use daily, can sometimes be tricked by just typing stuff in. That’s right, no hacking gadgets or elite gear needed - just a keyboard, a form field, and some <script>
tags.
Here’s what stood out to me and what I learned:
The Basics: HTML Structure
Tags vs Elements:
Tags are like commands (e.g.,<p>
,<h1>
,<img>
), while elements are the full block, including the opening tag, content, and closing tag (like<p>Hello</p>
).Attributes:
Tags can have attributes likeclass
,id
, orsrc
. For example:
<p class="bold-text" id="intro">Welcome</p>
-class
can style it,id
can help find it with JavaScript.Self-closing Tags:
Some don’t need a closing tag. Like<br>
for a line break.
Aha Moment: The Page Title
You know that tab at the top of your browser? The one that says something like “TryHackMe | How Websites Work”?
That’s the <title>
element in your HTML’s <head>
section. Felt good spotting it live in action!
JavaScript Magic
You can grab an element like this:
document.getElementById("demo").innerHTML = "Hack the Planet";
You can change the content of the page without touching the HTML file manually. It’s dynamic. Like if a button is clicked, the text can change on the fly.
onclick
can be inside the HTML or inside the<script>
section. Either works.
HTML Injection: The First Taste of Hacking
This blew my mind.
If a website allows users to input stuff - like comments or feedback - and doesn’t properly sanitize that input, someone can type:
```html
<script>alert('Hacked');</script>
```
…and boom! The script runs. That’s HTML Injection.
Attackers can:
Change what the page looks like
Add images
Fake login forms
Trick users
Even redirect people to other websites
All just by typing into a regular input field.
So, Is It Dangerous?
Yes, if the website doesn’t filter user input.
Developers must sanitize inputs so that the browser treats them as text, not code. That means replacing <
and >
with <
and >
.
Final Thoughts
I always thought hacking started with some mysterious black terminal or typing like a mad genius. But turns out, even a comment box can be a gateway if the code behind it isn’t careful.
And the best part? I’m just getting started.
This is what cybersecurity feels like - theory meets action.
Subscribe to my newsletter
Read articles from Andrii R directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
