Re: [whatwg] Review of the 3.16 section and the HTMLInputElementinterface

On Thu, May 15, 2008 at 1:23 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> Samuel Santos wrote:
>>
>> I don't think this is a valid argument since you can change it anyway [1].
>>
>> [1] http://www.quirksmode.org/dom/inputfile.html
>
> I should note that some consider this a (low priority, low severity)
> security bug that should just be fixed (e.g. by disallowing opacity styling
> on file inputs or some such).
>
> -Boris
>

The Yahoo! UI toolkit [1] allows a developer to create a "browse" that
looks like whatever he wants it to and can be controlled by javascript
pretty much however he wants it to.  Flickr uses this (you have no log
in, so no link here).  It also has more robust features than <input
type=file>
- the interface can have custom styles
- the dialog can choose multiple files
- the dialog can filter certain file types

That Yahoo widget uses Flash and Javascript to make all that happen.
Adobe isn't going to take this feature of Flash away (Javascript
control of a file dialog) and I wouldn't expect browsers to try to
block it.

The W3C File Upload [2] draft allows for the something similar using
plain javascript without the requirement for Flash, and there are
already implementations in the wild.  That's just a generic Javascript
API - I can't imagine browsers trying to restrict  how that looks on
the page.  Again,
- the interface that have custom styles (anything with an onclick will do)
- the dialog can choose multiple files

These aren't features you're going to take away from today's users of
popular web applications.  Those features are here to stay.  I don't
see how customizing the look of the file dialog's button is a security
risk.  Sure, the button might say something malicious, but it still
requires the user to browser his local files, choose a file, and click
"Open".

One problem with either the Yahoo widget or the File Upload draft is
that they both require Javascript to function.  If you want these
features to be accessible to non-Javascript enabled browsers, we'll
need to include it in HTML.  It would probably call for a new <input>
type with a more specific, flexible presentation (i.e. just a button
that can be styled with CSS)

If Javascript is as an acceptable requirement, another problem with
those solutions is that they require separate POSTs.  The Yahoo
uploader uses a separate request for each file.  The File Upload API
has functions like getDataAsHexBinary that, I guess, could put a
file's data into a hidden input field, but that data still wouldn't be
uploaded the same way regular <input type=file> is uploaded (as
multipart/form-data with headers for each file, etc).

It would be better for HTML to specify an accessible and clean way of
styling buttons for producing file dialogs than to force Samuel Santos
to use dirty CSS hacks, a proprietary tool, or an API that interfaces
with HTML forms in a clunky way.

[1] http://developer.yahoo.com/yui/uploader/
[2] http://www.w3.org/TR/file-upload/

-- 
Jon Barnett

Received on Thursday, 15 May 2008 19:34:39 UTC