Some older browsers are vulnerable to XSS attacks as such
<img src="javascript:alert('yo')" />
Current versions of IE, FF, Chrome are not.
I am curious if any browsers are vulnerable to a similar attack:
<img src="somefile.js" />
or
<iframe src="somefile.js" />
or other similar where somefile.js contains some malicious script.
This is a website, a safe one too although the link looks suspicious, it shows you some XSS attacks and list the browsers that are vulnerable to it. Not too far from the top shows the <img src> attributes
All major browsers are still vulnerable to these attacks. Tons of ways of using img tags are still around.. For example...
<img src='#' onerror=alert(1) />
Look for RSnake's xss cheatsheet, those are just some vectors. By the way, I've heard he's coming up with a new version of his cheatsheet soon.
here you can find some XSS attacking vector http://ha.ckers.org/xss.html
No. Image data is never executed as JavaScript. The if the src is a JavaScript link, the JavaScript is executed, but the fundamental reading of data that comes from a request to the src does not involve JavaScript.