Back to File Upload

File Upload 20: Active Content in Allowed Files

Goal: get the app to accept an allowed image format that still carries active content.

Hints
  • Not every "image" format is equally passive.
  • The app allowlists SVG but does no sanitization.
  • Think about markup-based payloads, not operating system execution.
Why this works

Allowlisting extensions is not sufficient when the allowed format can contain active markup or script. Sanitization and safe serving matter.