Beware Of The “onerror” Attribute On IMG HTML Tags

Yesterday, we stumbled on to a link posted on the JVF Blog taking us out to a seemingly innocuous link found on my.nbc.com. What was odd was that when you clicked on the link, it would take you out to my.nbc.com, but after a few moments it would redirect you out to a site selling adult videos.

complock
We scoured the source on my.nbc.com and found that there were no apparent “script” tags or “META” tags present to force the delayed redirect. However, after doing a little more digging we found the following tag smack dab in the middle of the page:

imgonerrorexample
As always, something that was added to help aid a web master in alerting themselves or others of an error and gracefully exiting has been exploited. At least it keeps all of us on our toes!

Please beware of folks attempting to hijack your sites with leaving Blog comments, profile updates, etc with this method. If there is any way for you to have more control over your site to “strip tags” on all comments, I’d do so just to make sure you’re safe.

Good luck!