Attached files are opened from local cache making it's possible to execute javascript in context of "file://". By adding ',' character to file extension it's possible to bypass content filtering.
vulners.com/securityvulns/securityvulns:doc:9756