Is it possible to run javascript if a .php site is in the src attribute of an img tag?

Question

An image can be displayed through a .php source if the source has a proper header (as per the answer to this question).

If a website allows something.php as the image source, and displays the image (as described above), is it possible to include some kind of javascript in something.php that will also run when the hosting site retrieves the image? (This seems like it could open things up to a possible XSS)

I don't see how PHP is relevant. What's the difference between serving a PHP script that returns JavaScript, and a file that is JavaScript? — multithr3at3d, Jan 31 '18 at 01:07
@multithr3at3d Because the website wouldn't allow ``something.js`` — AmagicalFishy, Jan 31 '18 at 02:25

score 0 · Answer 1 · answered Jan 30 '18 at 22:07

To answer the question, no it is not possible.

Let's say the image is sourced as below for example.

<img src="http://somesite.com/something.php">

If something.php doesn't render as an image, the browser will display an [X] or not display the invalid/corrupt image.

If you throw in some javascript inside something.php will have no effect at all.

Is it possible to run javascript if a .php site is in the src attribute of an img tag?

1 Answers1