W3C home > Mailing lists > Public > www-validator@w3.org > September 2007

Re: Even better

From: Brett Bieber <brett.bieber@gmail.com>
Date: Fri, 28 Sep 2007 07:10:43 -0500
Message-ID: <efa010fb0709280510w606c7ea4tc6155d2e20ab0c10@mail.gmail.com>
To: "Kim Daugaard" <kim.daugaard@gmail.com>, "www-validator Community" <www-validator@w3.org>

On 9/28/07, Kim Daugaard <kim.daugaard@gmail.com> wrote:
> Hi Brett Bieber,
>
> Thanks for your reply.
>
> Of cause browsers do not support automatic file upload. And that is not what
> I am asking for.
>
> What I am asking for is just a tiny server service:
>
> When the http://validator.w3.org/#validate_by_upload server
> receives the initial URL GET with a parameter, like
> ?filename=C:\folder\file.html, it should validate it, and if it is a valid
> file name, the server should pre-populate the input field with the file
> name, returning the form page to the browser.
>
>
> From page source:
>
> <input type="file" id="uploaded_file" name="uploaded_file" size="30"
> value="C:\folder\file.html" />
> <input title="Submit for validation" type="submit" value="Check" />
>
>  In real life the folder is way down the file system, and the file to
> validate is among hundreds of files.
>
> By adding the value attribute to the input field holding the file name from
> Get request, you will serve our needs. Our testers still have to press the
> 'Check' button -  no security issue.
>
> On pages we will use javascript and window.document.URL to define the
> validator link like:
>
> http://validator.w3.org/#validate_by_upload?filename=C:\folder\file.html
>
> This would be a great service to us, making our validation process for
> prototyping more simple.
>


Hi Kim,

You must have missed the first line of my response ---

"Browsers do not support pre-populated (default values for) file input fields."

The security issue is that if this were possible and you could set a
default value for an input type="file" by something simple like this -
var uploadel = document.getElementById('uploadfileel');
uploadel.value = 'C:\foo.html';

You could then say document.myform.submit();

This is why the W3C specifies "A user agent should not send any file
that the user has not explicitly asked to be sent."

http://www.w3.org/TR/html4/appendix/notes.html#h-B.10.1

If what you're suggesting were possible, you could just as easily
create a file for your own development and point action attribute of
the form to http://validator.w3.org/check (mirroring the file-upload
form on the w3 validator's website).
I might suggest this as a good exercise for understanding the security
issues surrounding forms+file-uploads.

> Thanks again.
>
> Kind regards
> Kim Daugaard
>
>
>
>
> On 9/28/07, Brett Bieber <brett.bieber@gmail.com > wrote:
> > On 9/24/07, Kim Daugaard <kim.daugaard@gmail.com> wrote:
> > > Hi,
> > >
> > > I have a suggestion for making W3C validator even more attractive.
> > >
> > > We are making all html prototyping without any web server (hundreds of
> > > pages). We can place a link to the 'Validate by file upload,'
> > > http://validator.w3.org/#validate_by_upload on each
> page
> > > (and we do) but we still have to browse for the file each time we want
> to
> > > validate it.
> > >
> > > What I would like, was the ability to add the file name to the
> get-request
> > > (using javascript, like:
> > >
> http://validator.w3.org/#validate_by_upload?file=C:\folder\file.html
> > > ), and have it filled into the file input field of the upload page. Then
> we
> > > only need to press 'Check'.
> > >
> > > That would be really cool!
> > >
> >
> > Hi Kim,
> >
> > Browsers do not support pre-populated (default values for) file input
> > fields. As you can imagine, if this were possible it would be trivial
> > to upload specific files off an end user's computer with malicious
> > intentions.
> >
> > For security reasons, any file which is uploaded to a web site must be
> > manually selected by the end user. Unfortunately you'll either have to
> > manually select and upload the files for validation  - or - look into
> > one of the documented libraries for connecting to the Validator's API
> > and create your own intermediate script which will upload the file to
> > the validator, or send the file's content as direct input.
> >
> > http://validator.w3.org/docs/api.html#libs
> >
> > --
> > -Brett Bieber
> >
> > http: saltybeagle.com aim:ianswerq
> >
>
>


-- 
-Brett Bieber

http:saltybeagle.com aim:ianswerq
Received on Friday, 28 September 2007 12:10:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:14:25 GMT