User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release) Build ID: 20130511120803 Steps to reproduce: A person posted a message to a forum (the message has since been removed so I can't link to it). The message contained the following html: <img src="http://forums.thedailywtf.com/logout.aspx"> Actual results: Any time someone went to the page containing that message, the code in "logout.aspx" was executed and the person was logged out of the forum. Expected results: The <img src> tag does not contain a valid image and should be ignored. Or something. Firefox certainly shouldn't be executing code in an image tag. What if the code contained something more malicious that just logging off?
We can't know if it's an image before loading the URL.
Indeed. The fact that the forum uses a GET for logout is just daft. :( And there's no way we can protect against it on our end, as Ms2ger points out.