Possible cross-site scripting attack via unsanitized SVG files in FoF Upload