Let's say the Content Security Policy looks like this:
Content-Security-Policy: default-src 'self'; It's also not possible to upload JS files on the same origin.
Now there's an exploit to write arbitrary HTML on a page, including <script>. But <script> among other tags can't execute any scripts because of the CSP. When writing a report, should I still call it Cross Site Scripting (even though no script is executed) or would it be more accurate to say "HTML injection"?
Why not go with "XSS (blocked by CSP)"?
It's succinct and expresses what it technically is (while the impact might be limited to the impact HTML injection would have, you are able to enter a JavaScript context; which - depending on the browser - may or may not execute because of secondary defenses such as a CSP). You can go into details in the report itself.
In the end, it imho doesn't matter too much. CWE for example doesn't even differentiate between HTML injection and XSS (it only knows Improper Neutralization of Input During Web Page Generation - the examples of which includes classic XSS as well as simple HTML injection).
