Is it secure to blindly trust image urls and output them into html img tags on a site? Can it be used to inject code?

Question

I have to process a feed from a data provider, in this feed they provide us with image URL, currently we download them and store them in our own media server, but I was wonderin

Answer 1

Image URLs can of course point to scripts (with some URL rewriting) but there's no risk to get a script run from an image load. URL data is treated as binary image data, not as runnable text/script.

If it's a script, for your browser it's nothing more than a corrupted image file. So, no code injections risk. At least this is what I know.