All the lovely work on client-side and server-side rendering won't go anywhere if we can't allow files to be uploaded for security reasons.
(Alternatively, could we host the files on something like wmfusercontent.org as we use for Phabricator in an <iframe> that doesn't have access to things we're worried about?)