W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2007

[whatwg] input type="file" value inconsistencies

From: Michael A. Puls II <shadow2531@gmail.com>
Date: Wed, 14 Nov 2007 05:50:19 -0500
Message-ID: <6b9c91b20711140250w58921b1amee25149b96d87394@mail.gmail.com>
On 11/14/07, Daniel Veditz <dveditz at cruzio.com> wrote:
> I'd like the WHAT-WG specs to specify the expected value of a file input
> control that has been filled by the user.
> The Web-Forms 2 spec says only the filename, not the path, is uploaded to
> the server, and this seems to be general browser practice. But what about
> the value seen by scripts in the page? IE, Mozilla, and Safari reveal the
> full pathname while Opera returns only the filename.
> Mozilla has a very old privacy request that we limit the .value to just the
> filename as uploaded with the form
> (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten
> advocacy that we WONTFIX the bug because there are intranet apps that use
> the full path value, and in fact don't upload the files themselves they
> just use the control as a convenient picker to get the path (they use
> script to move those values into a text input control).
> Opera's approach is privacy preserving and consistent with the spec for the
> uploaded value.

Opera's way is safer, but I hate it sometimes.

For example, if I make the page:

<input type="file" oninput="alert(this.value)">

and choose the file 'f:\audio\some file.ogg', I expect the alert to
show "file://localhost/f:/audio/some%20file.ogg".

(There's no harm in that exact situation.)

For browsers, I really expect options like:

[file input script access]
Reveal full path for file input = no (default) | yes with warning | yes
Full path format for file input = native (default) | file URI
Quote full path for file input = yes (default) | no

However, the spec can't say those things I think. All it can say is
that scripts should only have access to the file name (like Opera).

Received on Wednesday, 14 November 2007 02:50:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:59 UTC