Login/Register
Injecting javascript thourgh <img>-tag
Asked Answered
Solved javascripthtmlimagejavascript-injection
M

3

14

I would like to know if it is possible to inject some javascript code through an img-tag. The scenario is that one sets up a html-page like this

<img src="anotherdomain.com/someimage.jpg" />

Anotherdomain is my domain. Is it possible to redirect the call for /someimage.jpg to another file containing som javascript code that is executed when the image is requested?

Mayenne answered 26/11, 2011 at 20:6 Comment(2)
Not sure why this was downvoted. It is a reasonable question and not one that the answer could be easily found by an Internet search.Gerfen
It's a good question, seeing as IE has a history of obeying the Content-Types that servers send, no matter what they are. It seems this is no longer the case, fortunately.Studhorse
G
8

The browser should not make an attempt to execute code received via an <img> tag as JavaScript. The script would be delivered to the browser, but in its place would be a broken image that could not be displayed.

Browsers will only execute scripts received in a <script> tag or onclick,onmouseover,onmouseout,etc... attributes as a basic security principle

Gerfen answered 26/11, 2011 at 20:9 Comment(2)
so the only "fun" thing you can do is to redirect it to another image?Mayenne
@MathiasBak Pretty much - or send a file that is very big, eating the client's (and origin server's) bandwidth.Gerfen
J
2

no, all major browser will not accept javascript code at this point

Jacquard answered 26/11, 2011 at 20:9 Comment(0)
I
1

No. The problem (if you want to call it that) is that the URL in question is interpreted as image data, not as a JS script. So regardless of what it is or how it's redirected, it's not going to get evaluated as JS.

Note: <script> tags work cross-domain, so you should probably just use that.

Inenarrable answered 26/11, 2011 at 20:11 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.