Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document.