Is this javascript vulnerable for XSS?

**Henna** · 10-31-2012 04:21 AM

I´m woundering if this code is vulnerable for XSS attacks?

Javascript function:

Code:

function viewImage(i) {
	img = document.getElementById("largesize");
	img.src = i.src;
}

and the call to the function in the code:

Code:

<img src="photos/image1.jpg" onclick="viewImage(this)">
<img src="photos/image2.jpg" onclick="viewImage(this)">

etc

Is it somehow possible to call the function with other values than the one in the code and enter malicious code?

Is it safer or unsafer to call the function like this instead?

Code:

<a href="javascript:viewImage('photos/image1.jpg');"><img src="photos/image1.jpg"></a>

The image is showed here after the call:

Code:

<img src="photos/image1.jpg" id="largesize">

**ReFreezed** · 10-31-2012 08:37 AM

It's all safe. And I would use the first method, not because it's safer or unsafer, but simply because you don't have to write the image url two times. And also, it's less code.

**rnd me** · 11-03-2012 12:27 AM

javascript doesn't have any XSS vulnerabilities, CMSs and comment systems do...

Thread: Is this javascript vulnerable for XSS?

Thread Tools

Display

Hybrid View

Is this javascript vulnerable for XSS?

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions