Closed Bug 442295 Opened 16 years ago Closed 14 years ago

text box beside browse button acts as browse button if clicked on


(Firefox :: General, defect)

3.0 Branch
Windows 2000
Not set





(Reporter: carl, Unassigned)




(Whiteboard: [CLOSEME 2010-11-01])


(1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0

If a website has a text box and then to the right of that a browse button for selecting a file to upload, if I click on the text box it will act as if I clicked on the browse button.  Whether or not if I had clicked on the browse button first or not.

Reproducible: Always

Steps to Reproduce:
1. Go to
2. Click on text box that is to the left of the browse button.

Actual Results:  
Window pops up asking for which file I want to upload even though I had only clicked on the text box beside the browse button and not the browse button itself.

Expected Results:  
Show the cursor in the text box of where I had clicked on like in firefox 2.

Does not effect firefox 2.  New bug that only affects firefox 3.0 release.  I noticed this also effects other javascript elements where there are 2 javascript elements beside each other and the one on the left does what the one on the right does.
added version number that this effects.
Version: unspecified → 3.0 Branch
Yes, that's by design: if you can click in it, a malicious site can hide most of it, get you to type letters that you don't realize are spelling out the path to private files, and then upload them without your knowledge.
Closed: 16 years ago
Resolution: --- → DUPLICATE
No OTHER browser does this, and is extremely confusing to an end user like me.  This is a usability problem and needs to be fixed.  This is not a useful thing to put in by design.  I can still click cancel on the popup window and then change what is going to be uploaded.  Therefore it doesn't prevent anything from happening.  It needs to be fixed.  I can still fully check after that what file is going to be uploaded and edit manually what file is to be uploaded.

I'm also told that when doing a file upload like that, the web browser by design is supposed to prevent part of that path from being hidden.  There is no reason to have this in there, fix it.  I always check the path and I can still change it if I want to by clicking cancel and then using the arrow keys to check the file I'm uploading and it's path.  This is just a stupid decision.
Resolution: DUPLICATE → ---
I'm told by one of my web programmers here there is no way for a script to inject text into the text box for the file upload control.  The user has to manually put it in and it still is allowed to be typed in because I can just click on cancel.
(In reply to comment #3)
> No OTHER browser does this

By that I assume you mean "no other browser which is not Safari does this"?

> Therefore it doesn't prevent anything from happening.

Did you look at the bug I marked your report as a duplicate of? And did you see where one of Mozilla's best security researchers said in that bug that the current behavior was implemented in bug 258875? And did you go look at that bug report, and try the demo in it in a browser without this fixed? And did you look at the other bugs mentioned in it, and the bugs eventually marked as duplicates of it, and try the demos in them, and in the bug reports which were marked as duplicates of them, and read the reasons why people who have in some cases been thinking full-time about things like this for eight years or more had for the decision to make this fix rather than any other possible fix?

> There is no reason to have this in there, fix it.

You'll probably find more success with your bug reports if you read and follow - whether or not a decision angers you, there is nobody here who takes orders from you.
Closed: 16 years ago16 years ago
Resolution: --- → DUPLICATE
I see where this could be a problem now.  And I see I can't input any more text, but I still can go back and forth with the arrow keys.  So then technically isn't this already fixed?  I mean I can't change what will be uploaded unless I select another file to upload, but why prompt for another file when you already got the browse button there?  Seems like a bad solution to it when the best way to fix it is to not allow it to be edited in the text box by the browser, which was already done.  This just makes it annoying because it duplicates the browse button.  All that was needed was to make sure the text box for the file upload control could not be edited and that apparently has been done.  So why the extra step of adding in this functionality that does nothing but annoy?
Resolution: DUPLICATE → ---
Hi all.
I would just like to ask if perhaps anyone can provide instructions on disabling this functionality in one's own browser to replicate the functionality found in Firefox 2 (not necessarily the JavaScript part, but being able to edit/paste into the edit control). Perhaps I could edit a component or something myself to give me back control it.
Also, to give you a gauge for community response, you can take a look at these two pages:

Thanks very much, Ehtyar.
I understand the security decision that's been taken, but it would be great to be able to go to "about:config" and edit the "security.allowInsecureFileUpload" property from false to true and have the old behaviour back.

For advanced users willing to bear the burden of security themselves for the sake of usability, this option should be available to them.

I'm with Ehtyar here.
This is a mass search for Firefox General bugs filed against version 3.0 that are UNCO and have not been changed for 200 days.

Reporter, please update to Firefox 3.6.10 or alter. Firefox 3.0 is no longer supported and is no longer receiving updates. After you update, please create a fresh profile,, and test to see if your bug still exists. If you still the bug, then please post a comment with the version you tested against, and the problem. If the issue is no longer there, please set the RESOLUTION to  RESOLVED, WORKSFORME.
Whiteboard: [CLOSEME 2010-11-01]
I understand this is by design.  I do have an idea as an enhancement for this bug but will file it under a different bug instead so this one can be closed.
Closed: 16 years ago14 years ago
Resolution: --- → WONTFIX
Attached file asasa (obsolete) (deleted) —
The content of attachment 692828 [details] has been deleted for the following reason:

Some 'installer.php' file that has nothing to do with this bug.
You need to log in before you can comment on or make changes to this bug.