wwaawaw
Reputation: 7127
Why are javascript: URIs allowed in the src attribute of <img> tags?
On practically every XSS mitigation guide I've seen, the following pattern is mentioned:
<img src="javascript:evil();">
What legitimate use could this possibly have? Can you use JS code to generate a base64-encoded representation or something?
Upvotes: 3
Views: 1179
Answers (2)
alex
Reputation: 490233
It doesn't have many legitimate uses.
The way it works is probably because you can use any protocol there, and some browsers implement the javascript pseudo protocol, which can be invoked from multiple places.
Upvotes: 1
Richard JP Le Guen
Reputation: 28753
I don't know about a legitimate use, but some browsers (usually older ones) will execute the JavaScript. See the OWASP XSS Filter Evasion Cheat Sheet.
Upvotes: 1
Related Questions
- What malicious things can a user do in an <img> src attribute?
- XSS safe img src insertion
- Are data URIs on <img>s XSS exploitable?
- Scope of Javascript inside src attribute of image
- JavaScript "<SCRIPT>" in Image src attribute
- Html is <img src="<script>Some javascript</script>" > allowed?
- XSS attack with javascript in img src attribute
- Do i need to take care when setting src attribute of an image, where src path is specified by user?
- What browsers allow javascript to be the source of image tags?
- How do you allow the usage of an <img> while preventing XSS?