We’ve received a report of a means of allowing an HTML file to be uploaded via Django’s ImageField. As ImageField is expected to validate for a valid image file, this provides an attack vector for someone to upload a phishing form, something to steal cookies, or something else malicious. Unfortunately, we cannot offer a solution in Django itself. Rather, you need to take some steps in how you serve static files in order to mitigate this type of attack. These steps are now outlined in our security guide. We recommend that if you allow image uploads that you check your server’s configuration against the guide.
Thanks Rolo Mawlabaux for the report.