HTML is directly injected in the DOM. CSP should prevent to execute JS/CSS.
Attach a file by drag & drop or click to upload