From what we're able to tell from the reporter, there is no issue here. Web browsers displaying the contents of files from FTP connections as HTML (with script) is intended behaviour and not a vulnerability. And works on other browsers too.

The angle of 'hiding' HTML pages as files of other types is irrelevant; there is no file typing mechanism in FTP to subvert. An HTML file ending in '.jpeg' is just as valid as one ending '.html'.

There is no actual XSS component here.
bobince | Homepage | 10.28.08 - 6:00 am | #