I have a website that lets people paste in HTML (with images) into a htmleditor extender-control from the Ajax-control-toolkit. I have turned the built in protection (EnableSanitize) off, and have put in my own code that takes out dangerous tags such as scripts.
I then save the HTML code they pasted, and present it to other viewers in certain cases.
But the following occurred to me. Suppose a hacker has his own website, and pasted a page from that website into my HTMLeditor, which then saves his cleaned up code to a database. An audience then views the page, including images in the page (and perhaps video and audio too). Can the hacker look at his own web statistics to see who is downloading his image? After all, the image is still on HIS server, even though the HTML code that refers to it is on my server, and is then displayed on the user computer. And if he gets the IP address of the user computer, can he target it?
Thanks.