In a scenario where an attacker has control over the src
attribute of an img
HTML tag, they could easily inject a simple JavaScript XSS payload like the following:
<img src="javascript:alert(1)">
The attacker can not manage to leave the src
context. For example, the code that causes the above cause could be similar to the following:
// Make new image
img = document.createElement('img');
// Set source to hash
img.src = location.hash.substring(1);
// URL is controlled by attacker, so hash can be whatever they want. For example:
// https://ourserver.com/stuff#javascript:alert(1)
If you try to run the example scenario above in your own browser, you will probably observe that nothing happens. This is because JavaScript has apparently been deprecated in the src
(after IE version 6) and style
(after IE version 10) attributes in img
tags. The issue with this is that I could not manage to find any explicit rule that says that a browser should not execute JavaScript in this context (as it is a URI, it should be valid).
This all leads me to the big question- is this example code secure? Is there any spec that details that in all future browser versions, JavaScript should not execute in src
or script
tags? Yes, there are many answers (see above) on Security SE that mention that XSS should not happen in these cases, but is there a guarantee?