On December 22th, 2015, a bug bounty hunter called Juhhga reported another reflected XSS on Shopify. Let's check the request he made:
Content-Disposition: form-data; name="properties[Artwork file]" after: Content-Disposition:
form-data; name="properties[Artwork file<img src='test'
onmouseover='alert(2)'>]";
He found that the Artwork File was vulnerable to XSS, and inserted the JavaScript code there.
If you want to read the complete report, you can find the original post here: https://hackerone.com/reports/95089.