I did this today to show a possible derivation to the default imgur load (only for educational purposes)
Deep ignored the default img load and, instead, used the img tag on the second div layer to avoid this restriction.
What you see is just a simple image at first glance. In short, I have linked a malicious site to this image, because of this problem, I can upload malicious scripts on this page! The src attribute is loaded on this site, so every visitor who visits this publication is committed, regardless of the meaning.
Especially I have created an external php page to load this here.
I would describe this restriction-escape as high-severe.
To show the severity of this exposure, I have pasted half of a user agent below:
Mozilla / 5.0 (X11; Ubuntu; … Firefox / 67.0