When using a rich text editor, users are able to copy and paste images from the web. This will then get sent to the backend to be stored as markdown text: <p>some input<img src='some_pasted_source'/></p>

Is there any way to validate that the url source is a valid image? My CSP (content security policy) contains img-src https: http: data:. Im considering adding a check in my front end to confirm the URL is a valid URL. But outside of that, i'm not clear on how I can validate that it's not malicious. Is this CSP too lax, and open to malicious attacks? Im considering saving the images in an S3 bucket so i can restrict the CSP even more, by only allowing my s3 endpoint for images and removing the http: https: from my CSP, but im not sure if that would help or be over engineered.

edit:

im going to add the native URL api to validate the url on the FE first. i fot to initially mention that.