ZendTo before 6.06-4 Beta allows XSS during the display of a drop-off in which a filename has unexpected characters.
