W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] Fakepath revisited

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 14 Sep 2009 01:12:39 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0909140046350.5185@hixie.dreamhostps.com>
On Mon, 14 Sep 2009, Eduard Pascual wrote:
> I already posted an example showing how fakepath can easily break 
> compatibility with well-written sites. I explicitly asked for 
> counter-arguments to it and none has been provided, but the argument 
> doesn't seem to be taken in consideration at all. Hence I'm wondering 
> how the compatibility arguments are treated here. Is compatibility with 
> an unknown-size niche of clearly bad-designed sites more important than 
> with potentially thousands of well-designed ones?

Dropping part of the file name in the rare case of a filename that 
contains a backslash seems like less of an issue that failing to accept 
the upload at all.

On Mon, 14 Sep 2009, Robert O'Callahan wrote:
> This is a very minor issue and I'm fine with adding this to Gecko, 
> personally, except that first I really would like to see some specific 
> examples of sites that need this. There remains the faint possibility 
> that these sites already work in Firefox for some reason, and I'd like 
> to understand why, or if they don't, then I'd like to understand why we 
> haven't felt the need for this hack. Plus I think that in the spirit of 
> making decisions based on data, we should expect actual data to be 
> presented if possible, especially if requested, and here it seems like 
> it should be easy, yet I asked for specific examples earlier and none 
> have been forthcoming.

Here are some bug reports that I believe are caused by this issue:


Based on this my guess is just that people haven't filed this bug because 
they haven't thought of it as a browser bug (notice how nobody in those 
threads even mentions the browser).

One of the sites I know aout that had this bug in Firefox and Safari was:


...but it has now been fixed (search for 'strFileName.indexOf("\\")' in 
the source -- it was commented out last year).

Microsoft, in their blog post, refer to a number of other sites they 
tested, though they don't name them:


I would love more data.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 13 September 2009 18:12:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC