HTML Code injection Not detected by ASM

There was PT conducted on our application and was reported to be HTML injection vulnerable.

URL used for evidence of exploitation is:

https://abc.com/SimpleSamples812/ChatWidget/ChatPanel.aspx?BackgroundColor=%00black%22%3e;%3c+img+scr+=x+;onerror+:+alert,1

ASM have neither triggered 'onerror' attack signatures which are enforced nor did trigger any meta character violations.

Isn't ASM capable of detecting attack in this pattern?

Please suggest.