The Resources upload feature does not restrict the type of uploaded file.
An attacker can upload an html file and the browser still renders it.
The CSP is set to default-src ‘self’ to prevent inline script execution.
However, this can be easily bypassed by uploading a .js file then include it through the html file.
First we upload a malicious js file onto the server
// step1.js
alert(document.domain);
Then we upload a html file which includes this script
// step2.html
<script src=/path/step1.js></script>
The JavaScript code will be executed