Is there a reason why there is a whitelist of specific hosts? I'm pretty sure there is a way to allow all https image hosts, if that was the goal you were going for.
|
Can also do weird stuff like cookie stuffing (probably not useful here) and pulling IPs through IMG. Caught at least one person here trying to send me a PM with a .php file in an [IMG] tag.