Stored-XSS vulnerability

Reported by Yann CAM (ycam) by mail:

Jirafeau once was affected by CVE-2022-30110. The fix provided back then checks for MIME type image/svg+xml. But this check can be bypassed by manipulating the request header to contain MIME type image/svg+XML.

ycam also provided a fix. All we have to do is to replace strpos() in line 562 of functions.php with stripos(), so that it looks like this:

if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) {

I will include this fix in 4.6.1 and report a CVE.