Which browsers allow javascript to be the source of image tags?

Question

Which browsers allow javascript to be the source of image tags?

I heard that some XSS attacks can be done by posting an image on a site with javascript as an src attribute. Are there certain browsers that will protect me from this type of attack?

+3

javascript security xss

Abe miessler Jul 21 '10 at 21:08

source share

4 answers

, , :

GET POST, cookie;
HTTP Referer;
crossdomain.xml, Flash.
cookie
POST URL, ,
URL- CSRF; .

: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

+1

Sarfraz 21 . '10 21:13

Mozilla Firefox NoScript. javascripts .

+1

Jim 21 . '10 22:53

, javascript src= . - , , CVE, . : I have tested this against the most recent IE8, chrome and firefox, and they have all patched this issue. , MUCH , ,

<img src=img.jpg onload="alert(/xss/)"/> javascript. , , : src="fake.jpg" onload="alert(/xss/)". htmlspeicalchars($image_location,ENT_QUOTES); htmlspecialchars($image_location). Html Purifier, JavaScript.

XSS, noscript.

XSRF GET. , . , xsrf , . , GET, . - , , img-, .

0

rook 21 . '10 22:22

Annie · Accepted Answer · 2010-07-21T22:57:19+0000

From http://ha.ckers.org/xss.html :

An XSS image using the JavaScript directive (IE7.0 does not support the JavaScript directive in the context of the image, but this happens in other contexts, but the following are principles that will work in other tags, probably to revise this later):

<IMG SRC="javascript:alert('XSS');">

: [IE7.0 | IE6.0 | NS8.1-IE] [NS8.1-G | FF2.0] [ O9.02 ]

Which browsers allow javascript to be the source of image tags?

More articles: