[Javascript] Adding more HTML to DIV with form

Nick Fitzsimons nick at nickfitz.co.uk
Tue Jun 13 11:44:32 CDT 2006 

Peter Lauri wrote:
> Hi,
> 
> I have a script that adds HTML to a specific DIV with a specific ID:
> 
> If the user has filled in information in the form already, all information
> is still there except in the <input type="file"...> object. Why is that?
> 

You can't set the value of a file input via script for security reasons 
- it would make it very easy for a malicious web site to potentially 
steal confidential information from a visitor's computer.

For example, if there was a widely-used program which stored somebody's 
financial information (bank account details, etc.) and by default it 
stored that information at

C:\Program Files\NotVeryGoodMoneyManager\Data\BankAccounts.dat

then I could write a script which, when the page was loaded, created a 
form with a file input with that value and then submitted it; then 
anybody who visited that page would automatically give me all their 
account details. To avoid this, the value of a form field can only be 
set by the user clicking on it and selecting a file.

You could perhaps do something using proper DOM methods instead of using 
the (non-standard) innerHTML; try using techniques like:

var fileInput = document.getElementById("theFileInput");
fileInput.parentElement.removeChild(fileInput);
/* do stuff here to remove then rebuild the form */
newForm.appendChild(fileInput);

but you'll need to test it carefully cross-browser, to ensure it retains 
its value when you add it back in to the page.

Incidentally, I'd also test very carefully to see if all browsers retain 
the original form values for the other elements of the form - IIRC, 
Internet Explorer for Windows may do so (under certain circumstances), 
but it's not a guaranteed behaviour - every browser manufacturer has to 
decide for themselves how to handle that case, as it's not specified 
anywhere in the standards. In fact, it's entirely possible that it's 
only working accidentally, if they never actually considered what would 
happen in that case. Other browsers such as Firefox, Safari, Opera and 
Internet Explorer for Macintosh (which despite the name has absolutely 
no code in common with IE for Windows) may not behave the same way.

Could you not achieve what you are looking for by manipulating the 
individual parts of the page you want to affect, if necessary showing 
and hiding stuff, rather than blowing away and rewriting whole areas? 
You might find it easier and more flexible in the long run.

HTH,

Nick.
-- 
Nick Fitzsimons
http://www.nickfitz.co.uk/

More information about the Javascript mailing list