You may know that SkinsRestorer recently fixed security breach that has to do with urls. When user pasted specific link to his own website, he could track incoming request from hosting of the server, basically letting him know direct ip address to that hosting - which could then be used for ddos attacks.

As I know, you plugin performs requests to specified urls to load the picture, and this may lead to similar results - if website provided in link is custom made to track incoming requests, this may lead to ip leak, and will make server vulnerable. I'm talking about big bungeecord networks with multiple dedicated servers to host many survivals etc.

I see no image hosting whitelist of allowed websites in your config, so I assume you don't have one. I suggest you add this and allow pasting links only to specific (user-defined) image hostings, to prevent such things.

I have added the possibility to set an allow-list and a permission node to ignore such restriction
imageonmap.ignoreallowlist_hostingsite
In order to add restriction you have to add in the plugin.yml the trusted host (If none set there won't be any allow list.
Example allowlist_hostingsite: https://www.supersoluce.com, https://i.imgur.com

See PR for implementation #219

Added in 4.2.0, see last release 4.2.1 https://github.com/zDevelopers/ImageOnMap/releases/tag/v4.2.1

Indeed, there is no filter. But it's a great idea with a very rationale justification. As we do not want to be a DDOS-attack vector, it could be a great idea to add such filter yes.

I don't know if we'll be able to add this to the upcoming version as we're close to its release, but in the subsequent one, definitely.

Thanks!