Convert a file — what used to be a multi-step job flow (create job → add input → set conversion → start → poll → download) is now a single call: ...
The default file-input block has allowedFileTypes disabled, so the check is skipped entirely; even when enabled, the attacker simply declares an allowed MIME (fileType) while uploading an .html body ...