XSS: Does src attribute alone in img tag cause XSS?

Question

Below img tag contains only src attribute. Will it cause xss , without having other attributes like window events onerror = eval(src) ?

<img src=javascript:alert('XSS')>

Answer 1

As long as the JavaScript won't be executed, you don't have to be worried about XSS.

It would be a problem if you used the value from frontend in backend.

Example:

<input type="text" name="age">

The user types: <script>document.body.innerHTML = 'Hacked!';</script>

Now in backend you simply use echo $_POST['age'] .

So as you see, it is good that you care about your own code but be more careful about what the user could type, because that's the dangerous part!

In your case <IMG SRC=javascript:alert('XSS')> won't be executed. And even it it were executed, that's just something that YOU typed, not the user.

Answer 2

This particular line of code in isolation: No .

Website that can be tricked to generate such line of code: Probably yes .

If your template is something like:

<img src=$user_data>

Then it is almost certainly vulnerable.

Even if you're trying to blacklist some "bad characters" in the submitted data, it may still be vulnerable. For example, even if you forbid spaces, it's still possible to add extra attributes by taking advantage of error recovery from invalid markup:

<img src="foo"/onerror="baz">

The only certain solution, which is also relatively simple, is:

1. Escape the data you print in HTML. At minimum change < to < , " to "
2. Always quote attributes with dynamic data.

Answer 3

Yes we can create XSS using src attribute alone

<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K" alt="add" >

The Base64 Code can take care of other things