- From: Lachlan Cannon <luminosity@members.evolt.org>
- Date: Sun, 08 Sep 2002 13:46:45 +1000
- To: www-style@w3.org
Boris Zbarsky wrote: > In addition to that, there is the security consideration that under no > circumstances must it be possible to trick the user into thinking that a > file upload control is not a file upload control (since said control > allows the page to send content from the user's hard drive to the > server). > > You don't really want to accidentally upload /etc/passwd, you know. But that's not really a styling matter, but a forms implementation manner. The forms which are being used, whether they be html, or xforms, or whatever shouldn't allow authors to specify default pages for picking files. After that, even if the button doesn't look like a browse button, when their OSs filepicker is launched, they'll recognise what has happened. -- Lach __________________________________________ Web: http://illuminosity.net/ E-mail: lach @ illuminosity.net MSN: luminosity @ members.evolt.org __________________________________________
Received on Saturday, 7 September 2002 23:51:17 UTC