They can redirect you as well (or you can put a non-image inside an image tag). Which means you have to make sure it's safe to merely navigate to a page/resource, otherwise you have a "Confused Deputy" vulnerability (i.e. CSRF).