[whatwg] File Upload Control from Greg Kilwein on 2004-08-18 (public-whatwg-archive@w3.org from August 2004)

From: Greg Kilwein <gkilwein@fbsdata.com>
Date: Wed, 18 Aug 2004 10:17:41 -0500
Message-ID: <007d01c48536$815efa30$0b4aa8c0@gregkilwein>
Matthew Thomas wrote:
> On 18 Aug, 2004, at 12:11 PM, Lachlan Hunt wrote:
> > ...
> > How exactly would it make it any easier for a user to be tricked into
> > selecting and uploading a private file if there was no visible browse
> > button?  The user would just be forced to type the full path manually,
> > rather than selecting it with a GUI, so they would still no they were
> > selecting a file.
> > ...
>
> Extensive discussion: http://bugzilla.mozilla.org/show_bug.cgi?id=57770

After reading this discussion on the Mozilla site about the file upload
control, from what I've seen, the only purpose of accessing the ".value" of
a file upload control is to know whether the user has entered a file name.
I've used this in a case where the file upload control required an entry.  I
suggest changing the ".value" to be a boolean (instead of a string that
contains the file and path names) and disallowing the paste command for the
textbox portion of the control.  That is, scripts could test for
"fileupload.value == true" to determine if the user has entered any value in
the field that satifies the minimum number of required files.  This would
prevent scripts from knowing what exactly was entered into the field, and
would defeat any attempt to automatically submit a form once a given value
was entered, like in the example attached to the entry on the Bugzilla
discussion.

So, if a user started typing in the box one character at a time, the script
would not know exactly what was entered, but instead would only know that at
least one character was entered.  This would defeat the script in the
example:

   if (document.f.muahahaha.value == 'c:\\autoexec.bat')
      document.f.submit();

That would no longer work.  Instead, it would need to be:
   if (document.f.muahahaha.value)
      document.f.submit();

And that would make the form useless, as any entry (valid or invalid) would
cause the form to be submitted.  The disabling of the paste command would
eliminate the possibility of unwanted or hidden text being pasted into the
box.  For users who would want to paste, they could click the "browse"
button and paste the filename(s) in that box, where automatic form
submission isn't possible.

For multi-file uploads, the ".value" could be set to true when the correct
number of filenames have been entered in the box (i.e. they have selected at
least the minimum number of files but have not exceeded the maximum number
of files).

This change would be backward compatible.  Consider the following script
executed on both legacy and HTML5 conformant UAs:
   if( document.f.fileupload.value )
      do_something();

This would work to test for the presence of a value in the text box portion
of the control for existing browsers that return a path/filename for value,
as well as future browsers that return the boolean value.

As far as styling is concerned, I would find it very valuable to be able to
style the text box and the button on those platforms or UAs that allow
styling of form buttons.  I go to great lengths to develop a polished UI for
my web application, and an unstylable (or unpredictably styleable, as is the
case with current browsers) file upload control is an eyesore on an
otherwise professional looking application.

With the new boolean ".value" property and the elimination of the paste
capability, I believe that the the security risk is lessened.  Granted,
there is always some sort of security risk - if a person would blindly
follow instructions on a random website that tells them to type the name of
some confidential private file in a box and hit submit, chances are there's
another person who would be willing to follow an instruction to type their
credit card number, card security code, and expiration date into regular
text boxes.  (Taking this to the extreme for hypothetical purposes, because
of this risk, should text boxes be eliminated?  I don't think so.)  I think
with these suggested tweaks to the file upload control that we could allow
styling of the text box and browse button on file upload controls for UAs
that wish to support the styling.  This is assuming, however, that there is
not a legitimate use for retrieving the ".value" property on the file upload
control in a script, but I can think of none.

Greg
Received on Wednesday, 18 August 2004 08:17:41 UTC