Injecting javascript thourgh <img>-tag
https://stackoverflow.com/questions/8281253
-
09-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I would like to know if it is possible to inject some javascript code through an img-tag. The scenario is that one sets up a html-page like this
<img src="anotherdomain.com/someimage.jpg" />
Anotherdomain is my domain. Is it possible to redirect the call for /someimage.jpg to another file containing som javascript code that is executed when the image is requested?
Solution
The browser should not make an attempt to execute code received via an <img> tag as JavaScript. The script would be delivered to the browser, but in its place would be a broken image that could not be displayed.
Browsers will only execute scripts received in a <script> tag or onclick,onmouseover,onmouseout,etc... attributes as a basic security principle
OTHER TIPS
no, all major browser will not accept javascript code at this point
No. The problem (if you want to call it that) is that the URL in question is interpreted as image data, not as a JS script. So regardless of what it is or how it's redirected, it's not going to get evaluated as JS.
Note: <script> tags work cross-domain, so you should probably just use that.
