Closed
Bug 44465
Opened 24 years ago
Closed 24 years ago
[RFE] use VALUE attribute for <input type="file" ...>
Categories
(Core :: Layout: Form Controls, enhancement, P3)
Tracking
()
VERIFIED
WONTFIX
People
(Reporter: jag+mozbugs, Assigned: rods)
References
Details
Windows 95, build ID 2000070208
linux, build ID 2000070220
Probably XP.
Current behaviour:
the file select control starts with no files selected
Wished behaviour:
the file select control starts with the list of one or more file names specified
in the VALUE attribute.
HTML4 spec, 17.4.1 Control types created with INPUT:
| ...
| file
| Creates a file select control. User agents may use the value of
| the value attribute as the initial file name.
| ...
Note: the spec uses singular "file name" here, but plural in other places (HTML4
spec, 17.2.1 Control types).
Comment 1•24 years ago
|
||
This is a *serious* security risk:
<div style="display:none">
<input type="file" value="file://localhost/etc/passwd">
<input type="file" value="file:///c|/windows/administrator.pwl">
</div>
<input type="submit" value=" Do Something Innocent And Sweet ">
Marking WONTFIX unless a very SECURE way of implementing this feature is found.
Anyway, this feature is fatally flawed. You cannot know with certainty where
files are going to be on a remote system unless you have access to it, and if
you have access to it they you should be using SSH/SCP/FTP to transfer the files
and not HTTP. (It would be faster, to start with.)
You need to log in
before you can comment on or make changes to this bug.
Description
•