The <img /> and <style></style> tags can tell the browser to load things from any valid URI, plus I think all tags can contain the style="" attribute. Therefore, obviously they can be pointed to malicious web pages, cgi scripts etc. An image doesn't have to have a jpeg, png or gif extension and they can be created on the fly, so it would be hard to filter them by name. Plus, a malicious program could be given a picture-like extension that a properly configured server would be able to execute. I never thought of that last one before now, scary.
I have a wiry brain/each eye a camera. Robot Tourist, by Ten Benson