The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

One common, but frequently overlooked, source of stored XSS vulnerabilities

arises where an application allows users to upload files that can be down-

loaded and viewed by other users. If you can upload an HTML or text file con-

taining JavaScript, and a victim views the file, then your payload will

normally be executed.

Many applications disallow the uploading of HTML files to prevent this

kind of attack; however, in most cases they allow files containing JPEG images.

In Internet Explorer, if a user requests a JPEG file directly (not via an embed-

ded 

tag), then the browser will actually process its contents as HTML if

this is what the file contains. This behavior means that an attacker can upload

a file with the 

.jpg

extension containing an XSS payload. If the application

users to download the file, then it is vulnerable.