On Fri, Jan 9, 2015 at 2:29 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > On 1/9/15 7:14 AM, Anne van Kesteren wrote: > OK. So just to be clear, the type will be set before the input's cloning > callback runs, yes?
Yes. >> It's a bit unclear to me why "When an input element's type attribute >> changes state" does not sanitize this value > > When the type changes it sanitizes the value of the input. Though I see > nothing in the spec to indicate this; I filed > https://www.w3.org/Bugs/Public/show_bug.cgi?id=27791 As far as I can tell from the specification, when the value IDL attribute is in the filename mode, any values that might be stored in internal slots are ignored. > Because if the cloning steps in HTML are left as-is but run after script can > change the type, then you can create a file input with an arbitrary value > filled in. Which is a security concern. As far as I can tell from the specification you cannot influence the value returned by <input type=file>.value in any way. -- https://annevankesteren.nl/