- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 9 Jan 2015 14:46:23 +0100
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: WebApps WG <public-webapps@w3.org>
On Fri, Jan 9, 2015 at 2:29 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 1/9/15 7:14 AM, Anne van Kesteren wrote: > OK. So just to be clear, the type will be set before the input's cloning > callback runs, yes? Yes. >> It's a bit unclear to me why "When an input element's type attribute >> changes state" does not sanitize this value > > When the type changes it sanitizes the value of the input. Though I see > nothing in the spec to indicate this; I filed > https://www.w3.org/Bugs/Public/show_bug.cgi?id=27791 As far as I can tell from the specification, when the value IDL attribute is in the filename mode, any values that might be stored in internal slots are ignored. > Because if the cloning steps in HTML are left as-is but run after script can > change the type, then you can create a file input with an arbitrary value > filled in. Which is a security concern. As far as I can tell from the specification you cannot influence the value returned by <input type=file>.value in any way. -- https://annevankesteren.nl/
Received on Friday, 9 January 2015 13:46:54 UTC