If you want you can execute PHP as a part of an image (which is how you can display info about a remote box, by dynamically generating the image with PHP); similarly you can force a server to serve an image with correct headers with random extension (including .html).
So limiting extension in the img
tag really won't achieve anything; it is always executed within the context of image, browser expects an image, and if anything else is returned, it won't render. The only important thing with these things is possible CSRF vulnerabilities, because regardless of the image validity, the browser WILL always request the target url, so you could for instance force someone to logout upon viewing your avatar (in the most simple form you would just put http://thecurrentsite.com/?logout as your avatar).
So in summary you don't need to worry about code injection, however even if you are using request token it is better to limit the variability of the url that is possible to be inserted (forbid local urls, page fragment identifier etc.).