javascripthtmlimagejavascript-injection

Injecting javascript thourgh <img>-tag


I would like to know if it is possible to inject some javascript code through an img-tag. The scenario is that one sets up a html-page like this

<img src="anotherdomain.com/someimage.jpg" />

Anotherdomain is my domain. Is it possible to redirect the call for /someimage.jpg to another file containing som javascript code that is executed when the image is requested?


Solution

  • The browser should not make an attempt to execute code received via an <img> tag as JavaScript. The script would be delivered to the browser, but in its place would be a broken image that could not be displayed.

    Browsers will only execute scripts received in a <script> tag or onclick,onmouseover,onmouseout,etc... attributes as a basic security principle