Evil GIFs: Partial Same Origin Bypass with Hybrid Files. First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.
Recent articles
- A new way to extract detailed transcripts from Claude Code - 25th December 2025
- Cooking with Claude - 23rd December 2025
- Your job is to deliver code you have proven to work - 18th December 2025