Allowing non-image in <img src> tag

VERIFIED INVALID

Status

()

Core
DOM: Core & HTML
VERIFIED INVALID
4 years ago
4 years ago

People

(Reporter: Krueger Industrial Smoothing, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 20130511120803

Steps to reproduce:

A person posted a message to a forum (the message has since been removed so I can't link to it).  The message contained the following html:

 <img src="http://forums.thedailywtf.com/logout.aspx">



Actual results:

Any time someone went to the page containing that message, the code in "logout.aspx" was executed and the person was logged out of the forum.


Expected results:

The <img src> tag does not contain a valid image and should be ignored.  Or something.  Firefox certainly shouldn't be executing code in an image tag.  What if the code contained something more malicious that just logging off?

Updated

4 years ago
Component: Untriaged → HTML: Parser
Product: Firefox → Core
We can't know if it's an image before loading the URL.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Component: HTML: Parser → DOM: Core & HTML
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → INVALID
Version: 21 Branch → Trunk
Indeed.  The fact that the forum uses a GET for logout is just daft.  :(  And there's no way we can protect against it on our end, as Ms2ger points out.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.