Not a security hole, but a UX issue. Also... don't render artifacts before rendering the nickname form.
Attach a file by drag & drop or click to upload
