cl 2637 for issue 509 removed input type=file from the whitelist. input type=file is a problem if a malicious gadget can use it to receive a sensitive file from the user's computer.
note, the value of the file input can't be pre-filled, and it can't be set by script. so this is a problem only if the user can be tricked into entering a filename. this is more of a problem in IE than in other browsers, because IE has a freeform text entry for the filename. in FF/Safari/Opera, you can't type a filename, you must select a file with the filepicker widget, which can't be replaced or camouflaged. so... I'm not sure yet what's a good way to handle IE. one idea: if I attach an onkeypress handler to the file input, I can prevent most characters from being typed in the input box, without interfering with the accessibility of the filepicker button. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to http://groups.google.com/group/google-caja-discuss To unsubscribe, email [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
