I found a form where if a user uploads a file of a type that is unsupported, the name of the file is not sanitized at all and reflected back to the user.
For example if a file with the name is uploaded, the name is then embedded in the page, causing an xss to trigger.
However, it is important to note this is NOT a stored xss as the name of the file is embedded as an error message. “Filename is not supported”. The file is never actually uploaded server side.
My question is, is this counted as a self xss? I believe it is because it requires the user to upload a specific file but I am not sure as reading up on other reports have made me a little confused.