Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Jump to content

File select: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
m Cannot select multiple files: Link added for HTML5_File_API
Line 19: Line 19:
<!-- Deleted image removed: [[Image:Firefox2-screen-shot-after-file-selection-winxp.png|right|354px|thumb|After file selection, the filename is displayed in the text field. The form is submitted by clicking the second button; the file will be uploaded.]] -->
<!-- Deleted image removed: [[Image:Firefox2-screen-shot-after-file-selection-winxp.png|right|354px|thumb|After file selection, the filename is displayed in the text field. The form is submitted by clicking the second button; the file will be uploaded.]] -->


When it comes to the rendering on the screen of a file-select control, there is some variation among [[web browser]]s. Typically, on a Windows-based platform, user agents will render a file-select control as a text field, together with a "Browse" button. When the "Browse" button is pressed, a [[file dialog]] opens, with which actual file selection on one's platform can take place. After selection, the filename of the selected file is displayed in the text field, with its full path. Alternatively, instead of using the "Browse" button, the filename can be entered directly in the text field.
When it comes to the rendering on the screen of a file-select control, there is some variation among [[web browser]]s. Typically, on a Windows-based platform, user agents will render a file-select control as a text field, together with a "Browse" button. When the "Browse" button is pressed, a [[file dialog]] opens, with which actual file selection on one's platform can take place. After selection, the filename of the selected file is displayed in the text field. Alternatively, instead of using the "Browse" button, the filename can be entered directly in the text field.


Some browsers, notably [[Firefox]],<ref name=firefox-vuln-info>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=388784 |title=388784 – (CVE-2007-3511) Firefox file input focus stealing vulnerability |publisher=Bugzilla.mozilla.org |date= |accessdate=2013-09-02}}</ref> no longer allow a filename to be typed directly in. This is a security measure - it is possible to trick the user into uploading confidential information.<ref name=juniper>{{cite web |url=http://www.juniper.net/security/auto/vulnerabilities/vuln24725.html |title=Mozilla Firefox OnKeyDown Event File Upload Vulnerability |publisher=Juniper.net |date=2010-11-15 |accessdate=2013-09-02 |archive-url=https://archive.is/20130221164034/http://www.juniper.net/security/auto/vulnerabilities/vuln24725.html |archive-date=2013-02-21 |url-status=dead }}</ref>
Some browsers, notably [[Firefox]],<ref name=firefox-vuln-info>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=388784 |title=388784 – (CVE-2007-3511) Firefox file input focus stealing vulnerability |publisher=Bugzilla.mozilla.org |date= |accessdate=2013-09-02}}</ref> no longer allow a filename to be typed directly in. This is a security measure - it is possible to trick the user into uploading confidential information.<ref name=juniper>{{cite web |url=http://www.juniper.net/security/auto/vulnerabilities/vuln24725.html |title=Mozilla Firefox OnKeyDown Event File Upload Vulnerability |publisher=Juniper.net |date=2010-11-15 |accessdate=2013-09-02 |archive-url=https://archive.is/20130221164034/http://www.juniper.net/security/auto/vulnerabilities/vuln24725.html |archive-date=2013-02-21 |url-status=dead }}</ref>

Revision as of 12:03, 24 June 2020

In HTML, a file-select control is a component of a web form with which a user can select a local file. When the form is submitted (perhaps together with other form data), the file is uploaded to the web server. There, when the file arrives, some action usually takes place, such as saving the file on the web server. However, the particular action that takes place is determined by the server-side script to which the form is submitted.

Code example

Here is a code example of a web form with a file-select control. It is the input element with type="file" that creates the file-select control.

<form action="form-handler.php" method="post" enctype="multipart/form-data">
	<div>
		<input id="myfile" name="myfile" type="file">
		<input value="Upload ►" type="submit">
	</div>
</form>

Rendering

When it comes to the rendering on the screen of a file-select control, there is some variation among web browsers. Typically, on a Windows-based platform, user agents will render a file-select control as a text field, together with a "Browse" button. When the "Browse" button is pressed, a file dialog opens, with which actual file selection on one's platform can take place. After selection, the filename of the selected file is displayed in the text field. Alternatively, instead of using the "Browse" button, the filename can be entered directly in the text field.

Some browsers, notably Firefox,[1] no longer allow a filename to be typed directly in. This is a security measure - it is possible to trick the user into uploading confidential information.[2]

Functionality

The mechanism for form-based file upload was originally proposed in RFC 1867 (published November 1995), as an extension to HTML 2.0 (RFC 1866), after its publication. Form-based file upload then was incorporated in HTML 3.2, which explicitly refers to RFC 1867 for further information on form-based file upload.

HTML 4.01 does not, in itself, describe how the file-select control is supposed to work, but it does list RFC 2388 and RFC 1867 as references.[3]

Multiple file selection

The intention in RFC 1867 is that a single file-select control should allow selection of multiple files. This intention seems reflected in HTML 4.01, which, for the file-select control- type, states[4]

This control type allows the user to select files so that their contents may be submitted with a form. The INPUT element is used to create a file select control.

It has been noted[5] that the plural "files" in the above quote is an indication that, in HTML 4.01, a single-file select-control still was supposed to handle selection of multiple files and not just a single file.

This situation is being clarified in HTML5 by adding a "multiple" attribute when the file input should accept multiple files. The current draft specifies the new behavior to be:

Unless the multiple attribute is set, there must be no more than one file in the list of selected files.[6]

Accept attribute

RFC 1867 also introduced the accept attribute for the input element. This would enable file-type filtering based on MIME type for the file-select control.

In addition, it is proposed that the INPUT tag have an ACCEPT attribute, which is a list of comma-separated media types.

If an ACCEPT attribute is present, the browser might constrain the file patterns prompted for to match those with the corresponding appropriate file extensions for the platform.

Thus, a user-agent may restrict file selection, as, for example, in the following, restricted to GIF and PNG images or any images:

<input id="myfile" name="myfile" type="file" accept="image/gif,image/png">
<input id="myfile" name="myfile" type="file" accept="image/*">

On a Windows platform, this might mean that the user agent would show files only of the types specified in the browse-file dialog.

Browser limitations

Basic support for the file-select control was adopted quickly by browser vendors. For example, already Internet Explorer 4,[7] Netscape Navigator 2.0 and Opera 3.5[8] recognized the input element of type="file" as a file-select control.

However, most modern browsers still do not implement the file-select control as it was intended, or lack certain features.[5]

Cannot select multiple files

Form-based upload of multiple files with a single file-select control is supported in current versions of Chrome, Firefox, Internet Explorer, Safari and Opera. One source states[5] that Opera supports multiple-file selection through a single file-select control. This was true for Opera versions starting from 3.5, in which the file-upload feature was introduced.[8] However, with the first beta release of Opera 7, this function was no longer available. Firefox version 3.6 started supporting multiple-file selection,[9] allowing the developer some limited access to the files themselves prior to being uploaded to the server, via the HTML5 File API.[10] This feature also allows users to drag-and-drop files from external applications (such as Windows Explorer) directly into the web application. One notable example of support for this feature is Gmail allowing attachments to be added in this way.

HTML5 allows multiple file uploads using the multiple attribute on input elements.[11]

JavaScript alternative

One solution is to use client-side scripting such as JavaScript for generating an extra file-select control for each file the user selects for upload. Using CSS, these extra file-select controls may be set not to display. An example of this technique is demonstrated in the Multiple File Upload plugin for jQuery. In this manner, the multiple-file upload problem is solved by providing as many file-select controls as the user has files to upload. Still, this does not solve the problem of selecting multiple files for upload in Internet Explorer.

Accept attribute support

The accept attribute is currently supported by Opera 11+, Chrome 16+, Safari 6+, Firefox 9+ and Microsoft Internet Explorer 10+.

References

  1. ^ "388784 – (CVE-2007-3511) Firefox file input focus stealing vulnerability". Bugzilla.mozilla.org. Retrieved 2013-09-02.
  2. ^ "Mozilla Firefox OnKeyDown Event File Upload Vulnerability". Juniper.net. 2010-11-15. Archived from the original on 2013-02-21. Retrieved 2013-09-02.
  3. ^ "HTML 4 Specification References". W3.org. Retrieved 2013-09-02.
  4. ^ "Forms in HTML documents". W3.org. Retrieved 2013-09-02.
  5. ^ a b c "File input (or "upload") in HTML forms". Cs.tut.fi. Retrieved 2013-09-02.
  6. ^ "HTML 5.1 specification". W3C.
  7. ^ "input type=file Object". Msdn2.microsoft.com. 2013-07-22. Retrieved 2013-09-02.
  8. ^ a b "Browser History: Opera". Blooberry.com. Retrieved 2013-09-02.
  9. ^ on December 10, 2009 by Paul Rouget (2009-12-10). "multiple file input in Firefox 3.6 ✩ Mozilla Hacks – the Web developer blog". Hacks.mozilla.org. Retrieved 2013-09-02.{{cite web}}: CS1 maint: numeric names: authors list (link)
  10. ^ "Using files from web applications - MDC". Developer.mozilla.org. 2013-08-23. Retrieved 2013-09-02.
  11. ^ HTML 5.1 specification: 4.10.5.3 Common input element attributes