If you're not escaping, maybe a user could upload a file named "evilfile.<script>alert('evil')</script>", but I'm not sure how stdicon.com could initiate an attack from their end.
I had assumed that the browser would load the external JavaScript, parse it and execute the code. I understood that the code in the page (the src built by the coder) was not going to be compromised. I should have realized that the browser would treat data loaded through an img src tag differently than it would data loaded through a script src tag.
Some versions of IE can be fooled into executing JavaScript contained in an image file, but the image has to be loaded on its own (in an iframe or a new window), so it wouldn't apply to my original comment. (http://www.splitbrain.org/blog/2007-02/12-internet_explorer_...)
This site does still seem like it could lead to security issues.
Couldn't they return a 302 redirect header to a private resource?
HTTP/1.1 302 Found
Location: http://www.yoursite.com/blog/entries/delete/123
If you're not escaping, maybe a user could upload a file named "evilfile.<script>alert('evil')</script>", but I'm not sure how stdicon.com could initiate an attack from their end.