Closed Bug 44465 Opened 24 years ago Closed 24 years ago

[RFE] use VALUE attribute for <input type="file" ...>

Categories

(Core :: Layout: Form Controls, enhancement, P3)

x86
Windows 95
enhancement

Tracking

()

VERIFIED WONTFIX

People

(Reporter: jag+mozbugs, Assigned: rods)

References

Details

Windows 95, build ID 2000070208 linux, build ID 2000070220 Probably XP. Current behaviour: the file select control starts with no files selected Wished behaviour: the file select control starts with the list of one or more file names specified in the VALUE attribute. HTML4 spec, 17.4.1 Control types created with INPUT: | ... | file | Creates a file select control. User agents may use the value of | the value attribute as the initial file name. | ... Note: the spec uses singular "file name" here, but plural in other places (HTML4 spec, 17.2.1 Control types).
This is a *serious* security risk: <div style="display:none"> <input type="file" value="file://localhost/etc/passwd"> <input type="file" value="file:///c|/windows/administrator.pwl"> </div> <input type="submit" value=" Do Something Innocent And Sweet "> Marking WONTFIX unless a very SECURE way of implementing this feature is found. Anyway, this feature is fatally flawed. You cannot know with certainty where files are going to be on a remote system unless you have access to it, and if you have access to it they you should be using SSH/SCP/FTP to transfer the files and not HTTP. (It would be faster, to start with.)
Blocks: html4.01
Status: NEW → RESOLVED
Closed: 24 years ago
Keywords: verifyme
Resolution: --- → WONTFIX
Updating QA contact.
QA Contact: ckritzer → bsharma
verified
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.