Hi Marcin, On Nov 18, 2009, at 14:37 , Marcin Hanclik wrote: >>> One could request an >>> image that is redirected to >>> http://address/of/image?put+a+complete+script+here >>> and then evaluate the query. > Ok, but then it will still be processed as image and will result in an > invalid image, I think.
Not so. Consider the following piece of Perl: #!/usr/bin/perl print "Location: img.png?alert('I am evil!')\n\n"; And the following HTML: <!DOCTYPE html> <iframe src='img.pl' id='pl'></iframe> <script> window.onload = function () { eval(unescape(document.getElementById("pl").contentDocument.location.search.substring(1))); } </script> This produces the expected alert. No script was ever exchanged, and I get the image to display perfectly fine. -- Robin Berjon - http://berjon.com/