Security wise, is it safe to display <img> sourced with a .html extension? [duplicate]

Question

This question already has an answer here:

Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code? (1 answer)

Closed 8 years ago.

Being ignorant in this area, I call about the SO community to educate me on this.

Is it safe to allow <img> sources with a .html extension on, say, a community message board? One example of this I've seen is someone sourcing ~20 of these images, which when rendered on the page outputs the letters of the viewer's location.

Answer 1

If you want you can execute PHP as a part of an image (which is how you can display info about a remote box, by dynamically generating the image with PHP); similarly you can force a server to serve an image with correct headers with random extension (including .html).

So limiting extension in the img tag really won't achieve anything; it is always executed within the context of image, browser expects an image, and if anything else is returned, it won't render. The only important thing with these things is possible CSRF vulnerabilities, because regardless of the image validity, the browser WILL always request the target url, so you could for instance force someone to logout upon viewing your avatar (in the most simple form you would just put http://thecurrentsite.com/?logout as your avatar). So in summary you don't need to worry about code injection, however even if you are using request token it is better to limit the variability of the url that is possible to be inserted (forbid local urls, page fragment identifier etc.).