Feedback on HTML5 Editor's Draft 25 March 2011 from Andrew Simons on 2011-03-25 (public-html-comments@w3.org from March 2011)

From: Andrew Simons <ajcsimons@googlemail.com>
Date: Fri, 25 Mar 2011 13:20:44 +0000
To: public-html-comments@w3.org
Message-ID: <AANLkTik1DT-voveSY7kOv46yg4Uv-MBknT=rhPFQ2Jcj@mail.gmail.com>

Hi,

In the section File Upload state
(http://dev.w3.org/html5/spec/Overview.html#file-upload-state) the
example javascript function extractFilename contains a bug.

function extractFilename(path) {
  var x;
  x = path.lastIndexOf('\\');
  if (x >= 0) // Windows-based path
    return path.substr(x+1);
  x = path.lastIndexOf('/');
  if (x >= 0) // Unix-based path
    return path.substr(x+1);
  return path; // just the filename
}

On a unix system backslash is a valid character in a file name and is
not a path separator, so if one chooses a file called "back\slash"
("back" is not a directory here, the full path to the file would be
something like "/usr/stuff/back\slash), then extractFilename will
incorrectly trim the filename to "slash", when the correct behaviour
is to preserve the complete filename of "back\slash". This bug arises
from the incorrect logic that a path containing a backslash implies
the path is a Windows-style path.

To correctly trim a path to just the filename, one needs to know the
path separator of the OS from which the path originates, using
techniques such as inspecting the user agent header. This is all
rather unpleasant, so I would have thought the HTML5 spec would be
much neater if it didn't mandate the addition of the "C:\fakepath\"
prefix. Presumably this was done so that exisitng code which assumes
the value attribute is a full file path (as IE8 returns, potentially
disclosing sensitive information) can continue to 'work'. However, why
should the poor behaviour of legacy browsers pollute the HTML5 spec
with the string "C:\fakepath\" which refers to the standard hard drive
of Windows filesystems. When this string appears in browsers running
on Linux or other platforms users get very confused.

I appreciate updating html specs whilst wishing to maintin backwards
compatibility with existing code and browsers is difficult, but at the
very least the javascript example shouldn't be buggy. The fact there
is no good fix to the bug though does make me question to wisdom of
the fakepath hack.

Regards,

Andrew Simons

Received on Friday, 25 March 2011 23:25:09 UTC