The issue (and the fix) was reported by https://hackerone.com/dgaletic
Attach a file by drag & drop or click to upload
