Currently any link can be embedded using the img BBCode tag. This adds the possibility of embedding websites that collect HTTP headers, effectively compromising user IP addresses and referrer data (if referrer policy allows it) which could include the sid parameter. 

A possible solution would be to allow board administrators to configure a white list of websites that the images can be embedded from.