There's actually a related JavaScript security bug in Netscape 4.x about this. The text data is stored in a comment tag inside the image. When Netscape viewed the "About" page for the image, it also displayed the embedded comments. It didn't escape the input so any embedded JavaScript was then run in "local filesystem" context instead of "internet" context.