Data URLs and XSS injections

I knew there were ways to embed an image into an HTML page by adding a 'src' to the 'img' tag which contained the whole base64 encoded image file. What I didn't know is that there are ways to use similar methods to invoke javascript in context of the current page.

For example, HTML tags like the following could be used to inject XSS into any page. Most browsers (especially chrome) do protect against this, but it may be possible to get around some of the security measures.



Read this for little more background.


Popular posts from this blog

Brewers CAP Theorem on distributed systems

The pain of Load balancing applications

Patches: Pull or Push ?