

Imagejs – A small tool to hide JavaScript inside a valid image file - brbcoding
http://jklmnn.de/imagejs/

======
toblender
Very cool. However I wonder if someone will try this on sharing sites like
facebook to see if it works.

~~~
dwild
An img tag won't execute a script, it need to be the src of the script tag.

I'm curious to see the really specific case where this is needed. What
actually will scan to make sure it's an image but then set it as a src on a
script tag?

~~~
ins0
some javascript files are merged over params like ?js=foo.js_bar.js but indeed
the attack surface is very small

~~~
dwild
Ok you would first need to upload the gif on the website and then do that.
Yeah interesting, really small attack surface but still one that we should
think about.

------
ins0
this technique is old - but good to remind someone that this is possible

