Skip to content

Instantly share code, notes, and snippets.

@andresriancho andresriancho/dom-xss.js
Last active Aug 29, 2015

What would you like to do?
DOM-XSS for img.src
/* In old browsers this worked: <img src=javascript:alert(1)> , tried it for DOM-XSS
in the latest Chrome and it's not working. Any payload I can set to
"user_controlled_variable" to have javascript execution?
Reference for old browsers:
.mario mentioned that it is possible to DoS firefox by setting the img.src to "javascript:while(1){}";.
* Confirmed with latest Firefox
* alert() calls are not allowed
* Can't run other javascript code since it is a very restricted javascript sandbox.
el = document.createElement('img');
el.src = user_controlled_variable;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.