Jade, unfortunately it is not entirely true that disallowing * for HTML will be enough.
If a remote page (called B) contains an img tag that GETs a URL on your site (called A), you GET this page on B, then you'll issue a GET request to your resource on A as well - with your credentials on A.
So HTML parsing WON'T solve this problem.
(However disallowing * will significantly reduce risk)
