javascript URLs specified as image sources are no longer executed

Published: | Categories: JavaScript | Creative Commons BY-SA 3.0


Previously, javascript URLs specified as <img>src or CSS background images were parsed and executed as normal JavaScript codes. This trick no longer works, because it could be exploited to hang the browser, leading to a denial of service (DoS) attack.