Bypass extension check leads to stored XSS at https://s2.booth.pm

In this report, a hacker identified a stored XSS in the header image upload function at https://manage.booth.pm/design/edit using Content-Type header manipulation. Upon file upload, the server failed to properly validate the provided `Content-Type`, accepting unintended values such as `Content-Type: text/html; image/png` where `text/html` should not be included. This allowed an attacker to upload a HTML file with `text/html` as the effective `Content-Type`, allowing for a page with arbitrary JavaScript embedded to be loaded on a victim's browser. This resulted in a stored XSS on BOOTH's sandboxed domain s2.booth.pm.