Typically XSS attacks work by injecting <script/> tags, but it’s also possible to inject JavaScript using the <iframe/> and <img/> tags by setting the src attribute to the javacript: pseudo-protocol. For example:
<!-- iframe injection -->
<iframe src="javascript:alert('XSS');"/>
<!-- img injection -->
<img src="javascript:alert('XSS');"/>Note, however, that JavaScript loaded in an <iframe/> won’t have access to the parent page’s DOM.