Unproxied http request
An unproxied call to urllib2.Request in ./src/htmltextview.py is made on line 500 in the HtmlHandler class:
req = urllib2.Request(attrs['src'])
This can be used for all sorts of nasty shit. First of all the attrs['src'] should be sanitized, but the urllib2 should also use the proxy context of the current account.
Steps to reproduce
Send an image with a url