[thelist] Input File Value

Ben Ewing bewi at haestad.com
Fri Oct 5 10:41:22 CDT 2001


Shoot, didn't think about it that way.

I guess I'll try it a different way.

Just for a bit of background on what I'm trying to do, so nobody thinks I'm
trying to do anything evil.  I'm setting up a place for people to upload
image files for a photo album.  The script requires that for every large
image I also need a small one with the same name + _t.  So, I was hoping to
make it so people would only need to browse for the large files and then the
small file name automatically fills in the next file box.

With this security issue I don't see any solutions that could not compromise
people's files.

Thanks a lot. 

-----Original Message-----
From: Joshua Olson [mailto:joshua at alphashop.com]
Sent: Friday, October 05, 2001 11:38 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Input File Value


I found the information on w3c:

http://www.w3.org/TR/html4/interact/forms.html#h-17.4.1

It says that user agents *may* use the value attribute as the initial file
name.  But, the overall consensus is that allowing the use of a default
filename would open up a very serious security hole.  If I was able to set
it, I could set the filename to the users password list (or some other
sensitive file), and set the input to not be visible via CSS.  When the user
submits the form they would unknowingly give me a secret file!  Can you
imagine the impact that could have.  It is for those sorts of reasons that
no browsers (that I know of) support the value attribute on the file tag.

This doesn't help you with your predicament, but hopefully it encourages you
to move on to other solutions without wasting too much time on this one.

-joshua

----- Original Message -----
From: "Ben Ewing" <bewi at haestad.com>
Subject: [thelist] Input File Value


: I'm trying to set the Value attribute on a File type Input field and it's
: not working.  Every HTML source I've read, including w3c.org, says that
the
: File type supports the Value attribute.  But, I'm pretty certain at this
: point that it doesn't.


---------------------------------------
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to:
http://lists.evolt.org Workers of the Web, evolt ! 




More information about the thelist mailing list