The XSS is possible without Laravel varidation?

[fumiyasac]

When I use Laravel-Stapler without Validation, malicious file can upload public directory or storage.
An error(Symfony Componet Exception) is displayed with the screen, but I check my storage, malicious file is exist.
It is thought that the cause of this problem happens by not confirming file mime type.
Because a similar problem happened in the version of the former "paperclip", I added a postscript to the link which seemed to serve as a reference.

Just FYI:
・Paperclip Security Release
https://robots.thoughtbot.com/paperclip-security-release
・Fix a possible security issue with spoofing
thoughtbot/paperclip@9aee411

[tabennett]

I don't think this is an issue with this plugin; it's realy be an issue with the end-user's application application that they use this plugin in. Paperclip also/provides handles/provides mime type validation, Stapler doesn't. The only thing this plugin verifies is that the uploaded file isn't spoofed, and that validation is done via the Symfony Uploaded File Object. Aside from that, it's entirely the responsibility of the end user to verify the mime types of their files as needed by the constraints of their specific application.

[fumiyasac]

Thank you for an answer. An answer is late, and I am sorry.