there’s probably some way of xss-ing with that, since you can upload any type of file