◆ Injection & InputCode FlawEXP-013

The Embedded Script

When user input became someone else's browser code

Late 1990s · JavaScript / PHP · 5 min read

Pattern Classification

Class

⧫ Boundary Collapse

Sub-pattern

Reflected Execution

Invariant

When data crosses into a system that interprets structure, without being constrained or transformed, it becomes executable.

This Instance

User input is embedded in output markup and executed by the rendering engine (browser, template)

Detection Heuristic

If user input appears inside a query, command, template, object stream, or prompt without an intermediate representation that separates data from structure — you are not passing data. You are modifying structure.

Same Pattern Class

The Concatenated Query The Unquoted CSV The Overflowed Return The Trusting Deserializer The Instructed Hallucination

Why It Persists

Every new execution context recreates this pattern. SQL gave way to NoSQL, HTML to templates, cookies to JWTs, forms to APIs, prompts to agents. The language changes. The failure does not.

Pattern Connections

↔ Cross-Domain Analog

The Concatenated Query

Same boundary collapse — SQL targets the database layer, XSS targets the presentation layer

→ AI Bridge

The Instructed Hallucination

XSS injects script into HTML rendering. Prompt injection injects instructions into LLM reasoning. Same boundary collapse, new execution context

← Mitigated By

The Forged Request

XSS can deliver CSRF attacks — boundary collapse in the browser enables ambient authority exploitation

Year

1999–present

Context

Websites became interactive. User-generated content — comments, profiles, search queries — was displayed back to other users. The server took user input, embedded it in HTML, and sent it to the browser. The browser couldn't distinguish between the page's legitimate JavaScript and JavaScript injected through user input. If the input contained