DEV Community

Discussion on: This Image Is Also a Valid Javascript File

etienneburdet profile image
Etienne Burdet

Wow, really… cool… 🤔 … scary?
One use could be to embed trackers in image files (giphy does that already maybe?). The other one would be straight hacking.

None of that sounds "great user experience", but it's good to know it's a thing 😬

vsetka profile image
Vladimir Šetka

How would you embed a tracker? The code won't execute unless it's in a script tag, at which point you might as well just load javascript.

If you're talking about embedding information in an image, there's already ways to do that (search for steganography).

etienneburdet profile image
Etienne Burdet • Edited on

Well I don't know precisely, but I was thinking something around a giphy copy-paste style: either with iframe, or little bit of JS script that seems to load a valid image. Like "copy this <script> … </script> at the bottom of your page and insert your .gif URL", which seems to be perfectly valid .gif if you open in browser.

Or a service like cloudinary could do that: inject script in your images and then execute it inside their SDK (while the url still gives a perfectly valid image).
That seems over complicated though…giphy just juste plain iframe without hiding anything and nobody cares 😅