File upload preview XSS
Check whether active content runs when uploaded SVG, XML, or HTML files are rendered as previews.
HTML payload check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Do not open uploaded files as HTML on the same origin
- Serve SVG as an image only, or use a separate download domain / attachment headers
- Set Content-Type and X-Content-Type-Options to prevent MIME sniffing
Payload
Payload to copy
Checks whether uploaded SVG is only used as an image or rendered inline/object/embed.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- File-upload XSS is a stored-XSS cousin where the risky surface spreads to attachment previews, download domains, and admin review tools.
- SVG looks like an image, but it is an XML document. Inline rendering, object/embed, or incorrect MIME types can introduce active content.
- Serve user uploads from a cookie-less domain where possible, and force attachment / MIME policy so HTML cannot execute inline.