These shortcomings meant it was possible for attackers to upload an XSS payload, providing it contained a file whose name ended with ‘html’ ­– a category that includes far more than just simple .html files.