Update HTML Injection

mappings/cvss_v3/cvss_v3.json

@@ -281,10 +281,6 @@
           "id": "content_spoofing",
           "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
           "children": [
-            {
-              "id": "iframe_injection",
-              "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
-            },
             {
               "id": "impersonation_via_broken_link_hijacking",
               "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
@@ -298,7 +294,7 @@
               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
             },
             {
-              "id": "email_html_injection",
+              "id": "html_injection",
               "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
             }
           ]

mappings/remediation_advice/remediation_advice.json

@@ -588,12 +588,6 @@
             "http://projects.webappsec.org/w/page/13246917/Content%20Spoofing"
           ],
           "children": [
-            {
-              "id": "iframe_injection",
-              "references": [
-                "http://resources.infosecinstitute.com/iframe-security-risk/"
-              ]
-            },
             {
               "id": "impersonation_via_broken_link_hijacking",
               "remediation_advice": "In order to prevent this type of injection consider the following solutions:\n\n1. Keep track of company's public 3rd party accounts, that includes social media. Whenever one is deleted, make sure it is not referenced in the application\n2. Monitor all hyperlinks pointing to 3rd party resources, as well as any other external references for that matter, and make sure that they do not become invalid, e.g. check for change in HTTP response code. In many cases it may be possible for anyone to claim such URL's and share new content.\n3. Always treat all user input as untrusted data."
@@ -610,8 +604,8 @@
               "remediation_advice": "Even if unsafe HTML tags like `<script>` or `<iframe>` are filtered out from user input, it is possible to inject `HTTP 401` authentication prompt into Flash content. In order to prevent this type of injection consider the following solutions:\n\n1. Always treat all user input as untrusted data.\n2. Always input or output encode all data coming into or out of the application.\n3. Always whitelist allowed characters and seldom use blacklisting of characters unless in certain use cases.\n4. Always use a well known and security encoding API for input and output encoding such as the `OWASP ESAPI`.\n5. Never try to write input and output encoders unless absolutely necessary. Chances are that someone has already written a good one."
             },
             {
-              "id": "email_html_injection",
-              "remediation_advice": "Always ensure that email contents cannot be tampered with. Limit what the user can insert into the email by filtering special characters and limiting the amount of characters that can be inserted. Additionally, filter out any URLs as they are often rendered as links by email providers.",
+              "id": "html_injection",
+              "remediation_advice": "1. Always sanitize user-generated input by encoding special characters and validating input against an allowlist of permitted tags and attributes.\n2. Utilize a server-side template engine or HTML escaping functions to ensure that user-supplied data is properly encoded before rendering.",
               "references": [
                 "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Input_Validation_Cheat_Sheet.md"
               ]
@@ -620,7 +614,8 @@
               "id": "email_hyperlink_injection_based_on_email_provider",
               "remediation_advice": "Always ensure that email contents cannot be tampered with. Limit what the user can insert into the email by filtering special characters and limiting the amount of characters that can be inserted. Filter out any URLs as they are often rendered as links by email providers.",
               "references": [
-                "https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet"
+                "https://owasp.org/www-community/attacks/HTML_Injection",
+                "https://developer.mozilla.org/en-US/docs/Web/Security/Cheat_Sheets/Cross-Site_Scripting_Prevention_Cheat_Sheet"
               ]
             },
             {

vulnerability-rating-taxonomy.json

@@ -598,12 +598,6 @@
           "name": "Content Spoofing",
           "type": "subcategory",
           "children": [
-            {
-              "id": "iframe_injection",
-              "name": "iframe Injection",
-              "type": "variant",
-              "priority": 3
-            },
             {
               "id": "impersonation_via_broken_link_hijacking",
               "name": "Impersonation via Broken Link Hijacking",
@@ -623,8 +617,8 @@
               "priority": 5
             },
             {
-              "id": "email_html_injection",
-              "name": "Email HTML Injection",
+              "id": "html_injection",
+              "name": "HTML Injection",
               "type": "variant",
               "priority": 4
             },