Closed Bug 44465 Opened 24 years ago Closed 24 years ago

[RFE] use VALUE attribute for <input type="file" ...>

Categories

(Core :: Layout: Form Controls, enhancement, P3)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows 95
Type:
enhancement

Tracking

()

Status:
VERIFIED WONTFIX

People

(Reporter: jag+mozbugs, Assigned: rods)

References

Details

Windows 95, build ID 2000070208
linux, build ID 2000070220

Probably XP.

Current behaviour:
the file select control starts with no files selected

Wished behaviour:
the file select control starts with the list of one or more file names specified 
in the VALUE attribute.

HTML4 spec, 17.4.1 Control types created with INPUT:
| ...
|   file 
|     Creates a file select control. User agents may use the value of
|     the value attribute as the initial file name.
| ...

Note: the spec uses singular "file name" here, but plural in other places (HTML4 
spec, 17.2.1 Control types).
This is a *serious* security risk:

  <div style="display:none">
   <input type="file" value="file://localhost/etc/passwd">
   <input type="file" value="file:///c|/windows/administrator.pwl">
  </div>

  <input type="submit" value=" Do Something Innocent And Sweet ">

Marking WONTFIX unless a very SECURE way of implementing this feature is found.

Anyway, this feature is fatally flawed. You cannot know with certainty where 
files are going to be on a remote system unless you have access to it, and if
you have access to it they you should be using SSH/SCP/FTP to transfer the files
and not HTTP. (It would be faster, to start with.)
Blocks: html4.01
Status: NEW → RESOLVED
Closed: 24 years ago
Keywords: verifyme
Resolution: --- → WONTFIX
Updating QA contact.
QA Contact: ckritzer → bsharma
verified
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.