Is it safe to allow HTML uploads? (2023)

Continuing the discussion from Is it safe to allow HTML uploads?:

Responses in the thread were of the form “why would you ever want this?” I have an answer.

Our forum is dedicated to the development of web-based games. I’d like our users to be able to distribute their games to each other using the forum. (But not if it will cause an XSS attack.)

As long as uploaded HTML files always have “Content-Disposition: attachment” (as it appears they do), I’m not aware of any XSS attack that this would enable, or even a novel phishing attack. Links to the HTML file will force it to be downloaded, not opened directly on the forum’s site.

(I note that Gmail allows users to download HTML file attachments; it seems fine.)

Of course, phishing attacks can be extremely simplistic. Today, anyone at TL1 could just DM a forum user and say, “Hi, I’m this forum’s administrator. Please send me your password.” Similarly, they can already create a website at evil.example.com that’s designed to look exactly like the forum’s login page, and they could try to trick users into clicking that link and typing their password in there.

I guess they could also try to do it with an attachment, saying “Hi, I run this forum, please download this file and open it, OK?” and that file might include a mockup of the forum’s login page.

But downloading an HTML file and double clicking it wouldn’t be any more dangerous from a phishing perspective than allowing users to click a link to an evil website. And, since it’s more complicated, it will probably fool fewer users than just sending out links to a phishing site (the traditional way).

Sooo is there an XSS risk here? Or a subtle phishing attack I’m not aware of?