Re: Pseudo-Classes :button and :input from Tobias Herp on 2009-09-16 (www-style@w3.org from September 2009)

From: Tobias Herp <Tobias.Herp@gmx.net>
Date: Wed, 16 Sep 2009 21:43:17 +0200
To: www-style@w3.org
Message-ID: <20090916194317.322920@gmx.net>

"Tab Atkins Jr." <jackalmage@gmail.com> wrote:
> Not everyone exposes a text input for <input type=file>.  Chrome,
> frex, just shows a button at first, and after selecting a file shows
> the filename following the button.

Regarding this, please see my answer to Boris' mail.

> Also, file inputs specifically allow very little interaction via CSS
> and JS for security reasons - you don't want a user to be tricked into
> entering a filename into what looks like a normal input field, and
> have them unknowingly submit a file with the form.

I regard this as a merely hypothetical threat, and there are solutions.

When did you ever enter something like a filename into any form field?
Who would ever enter a working filename into an input field and not expect the file to be uploaded?

Most files on my system have an extension; they contain a point which is not the last character (but instead followed by a word border). The only thing like this I submit every now and then is an email address, and I don't have files with such names.

You recognize a filename when you see one (as for unexperience users: see below).

Windows by default hides "known extensions"; thus, many unexperienced users are not really aware of them. If such people would be tricked into entering a filename, they would omit the extension, and the upload wouldn't work. Browsers are not webservers which can try a preference list of e.g. image extensions.

Any other threat related to file uploads I can think of involves scripting, and thus is unrelated to styles (IIRC, Javascript can't access the local file system).  Disable Javascript in your browser if you feel you must; some badly designed forms will cease to work, but you are safe.

BTW, it is already possible to use a background image for the button part using Javascript (see http://www.appelsiini.net/projects/filestyle/demo.html). Use a monochromatic image, and you have an invisible button.

No, we don't want everyone to use background images for every button because this is the only way to make them look alike; and the additional markup just for this purpose is a PITA as well. It would be much better to have a convenient CSS selector.

If you are still concerned: Some Browsers nowadays automatically open a file upload control when the input field is entered, and/or don't allow any manual input. In this case you can't be mistaken about the nature of the data.
-- 
Tobias

Received on Wednesday, 16 September 2009 19:43:58 UTC