To use a file input do you need to be able to set <form enctype=> to multipart?
2008/11/12 Felix <[EMAIL PROTECTED]> > > cl 2637 for issue 509 removed input type=file from the whitelist. > > input type=file is a problem if a malicious gadget can use it > to receive a sensitive file from the user's computer. > > note, the value of the file input can't be pre-filled, > and it can't be set by script. so this is a problem only if > the user can be tricked into entering a filename. > > this is more of a problem in IE than in other browsers, > because IE has a freeform text entry for the filename. > in FF/Safari/Opera, you can't type a filename, > you must select a file with the filepicker widget, > which can't be replaced or camouflaged. > > so... I'm not sure yet what's a good way to handle IE. > > one idea: if I attach an onkeypress handler to the file input, > I can prevent most characters from being typed in the input box, > without interfering with the accessibility of the filepicker button. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to http://groups.google.com/group/google-caja-discuss To unsubscribe, email [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
