- From: Brett Bieber <brett.bieber@gmail.com>
- Date: Fri, 28 Sep 2007 07:10:43 -0500
- To: "Kim Daugaard" <kim.daugaard@gmail.com>, "www-validator Community" <www-validator@w3.org>
On 9/28/07, Kim Daugaard <kim.daugaard@gmail.com> wrote: > Hi Brett Bieber, > > Thanks for your reply. > > Of cause browsers do not support automatic file upload. And that is not what > I am asking for. > > What I am asking for is just a tiny server service: > > When the http://validator.w3.org/#validate_by_upload server > receives the initial URL GET with a parameter, like > ?filename=C:\folder\file.html, it should validate it, and if it is a valid > file name, the server should pre-populate the input field with the file > name, returning the form page to the browser. > > > From page source: > > <input type="file" id="uploaded_file" name="uploaded_file" size="30" > value="C:\folder\file.html" /> > <input title="Submit for validation" type="submit" value="Check" /> > > In real life the folder is way down the file system, and the file to > validate is among hundreds of files. > > By adding the value attribute to the input field holding the file name from > Get request, you will serve our needs. Our testers still have to press the > 'Check' button - no security issue. > > On pages we will use javascript and window.document.URL to define the > validator link like: > > http://validator.w3.org/#validate_by_upload?filename=C:\folder\file.html > > This would be a great service to us, making our validation process for > prototyping more simple. > Hi Kim, You must have missed the first line of my response --- "Browsers do not support pre-populated (default values for) file input fields." The security issue is that if this were possible and you could set a default value for an input type="file" by something simple like this - var uploadel = document.getElementById('uploadfileel'); uploadel.value = 'C:\foo.html'; You could then say document.myform.submit(); This is why the W3C specifies "A user agent should not send any file that the user has not explicitly asked to be sent." http://www.w3.org/TR/html4/appendix/notes.html#h-B.10.1 If what you're suggesting were possible, you could just as easily create a file for your own development and point action attribute of the form to http://validator.w3.org/check (mirroring the file-upload form on the w3 validator's website). I might suggest this as a good exercise for understanding the security issues surrounding forms+file-uploads. > Thanks again. > > Kind regards > Kim Daugaard > > > > > On 9/28/07, Brett Bieber <brett.bieber@gmail.com > wrote: > > On 9/24/07, Kim Daugaard <kim.daugaard@gmail.com> wrote: > > > Hi, > > > > > > I have a suggestion for making W3C validator even more attractive. > > > > > > We are making all html prototyping without any web server (hundreds of > > > pages). We can place a link to the 'Validate by file upload,' > > > http://validator.w3.org/#validate_by_upload on each > page > > > (and we do) but we still have to browse for the file each time we want > to > > > validate it. > > > > > > What I would like, was the ability to add the file name to the > get-request > > > (using javascript, like: > > > > http://validator.w3.org/#validate_by_upload?file=C:\folder\file.html > > > ), and have it filled into the file input field of the upload page. Then > we > > > only need to press 'Check'. > > > > > > That would be really cool! > > > > > > > Hi Kim, > > > > Browsers do not support pre-populated (default values for) file input > > fields. As you can imagine, if this were possible it would be trivial > > to upload specific files off an end user's computer with malicious > > intentions. > > > > For security reasons, any file which is uploaded to a web site must be > > manually selected by the end user. Unfortunately you'll either have to > > manually select and upload the files for validation - or - look into > > one of the documented libraries for connecting to the Validator's API > > and create your own intermediate script which will upload the file to > > the validator, or send the file's content as direct input. > > > > http://validator.w3.org/docs/api.html#libs > > > > -- > > -Brett Bieber > > > > http: saltybeagle.com aim:ianswerq > > > > -- -Brett Bieber http:saltybeagle.com aim:ianswerq
Received on Friday, 28 September 2007 12:10:55 UTC