<img> tag? Why, by combining an XSL transform into an SVG image of course!
I stumbled across this old file in my archives:
If you run it e.g. in Chrome, it'll consume a load of CPU (and subsequently memory if you let it crank). I expect it'll do the same in any WebKit browser, and Opera's error message implies it has all the pieces to follow suit if I tweaked the file a bit.
It's not a significant security issue, but it's an interesting quirk. It works because SVG and XSL are both XML formats, and XSL can use a self-referential construct to operate on itself as the input document:
<?xml-stylesheet type="text/xsl" href="#stylesheet"?>
If the XSL output XML is valid SVG syntax, then it will render. So you can probably pull some crazy tricks to generate a complicated SVG on the fly! My sample file doesn't get that far; it simply deliberately runs an expensive stylesheet transform with a large output.
If anyone wanted to play with this, there may be interesting issues with the unusual context the XSL is executing in. What if you used
xsl:import or the
document() XPath function? What origin is used for security checks?, etc.