- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 26 May 2011 14:15:42 -0400
On 5/26/11 2:06 PM, Dennis Joachimsthaler wrote: >>> <a href='http://example.com/user_content/harmless_text_file.txt' >>> disposition='attachment; filename="Important_Security_Update.exe"'> >> >> At least in the case of Firefox for that particular case on Windows >> thefilename will be sanitized... > > So what does Firefox do in this case? I believe it forces the extension to match the MIME type; if the type text/plain the saved filename will be "Important_Security_Update.exe.txt". >> But yes, there are other situations where things could be more >> problematic. > > Which are these? Please enlighten me. Well, in the Firefox case non-Windows OSes, where the theory is that the handling of a file does not depend on the extension but the practice is ... variable. -Boris
Received on Thursday, 26 May 2011 11:15:42 UTC