The sanitizer rejects any inline CSS with "url(" to prevent web bugs.  has a proposed update to attr() which would allow to circumvent this check:
<div title="https://example.org/image.png" style="background-image: attr(title url);"></div>
creates a span with an URL as title. The inline CSS then adds an background image defined by that title interpreted as URL, i.e. shows an image from any domain.
According to  no browser currently implements this syntax ( claims it is implemented in IE9, which I could not reproduce, and is wrong according to ). But once this syntax gets implemented by some browser, the sanitizer should reject /attr\s*\([^),]+url/ (I'm not entirely sure about this regexp, but something like that should do the job).