HTML4 was introduced in 1997. Recently, with the introduction of new features, HTML5 also brings with it potential security vulnerabilities. This isn't to say that HTML5 is "flawed," but that there will be new attack vectors for hackers to exploit. Some originate from elements of the standard itself, some from implementations of the standard in each browser, and some from the care that developers do (or do not) take in building their HTML5 code.
HTML5 does not itself enforce the origin check in the newly introduced API, called postMessage that creates a framework for a script in one domain to pass data to a script running on another domain. This means a careless developers might not actually implement origin verification, essentially leaving the script exposed to postMessage requests from malicious sites.
2. Local Storage
3. Attribute Abuse
In addition to providing many new tags, HTML5 also introduces new attributes, some of which may be subject to abuse. A particular threat is when attributes can be used to trigger automatic script execution.
Again, it is not that these attributes are flawed—they exist to enable richer functionality in Web applications—but that they also could be abused by bad actors.
4. Inline Multimedia and SVG
With its new <audio>, <video>, and <svg> tags, HTML5 can natively render popular formats and vector graphics without external plug-ins. For example, an earlier version of Google Chrome contained a documented bug in its SVG parser which, could allow scripts to access the object properties of a page hosted on a different domain and violating cross-domain security policy.
Each browser needs to implement native multimedia handling and crop up for different bugs. And this may lead to multiple attack vectors been exposed.
5. Input Validation
HTML5 provides rich client-side input validation, empowering Web developers to define input boundaries alongside the forms themselves, with instant feedback provided to users. Since this input validation syntax is new to HTML5, developers may be more prone to make mistakes in their validation code, such as flawed regular expression (regex) syntax in page code that lead to DoS against browser.