On Wednesday 22 December 2004 02:29, Dakota Jack wrote: > There actually are a lot of things you can do with this that are not > obvious and are consistent with what seems to be impossible. You can > actually get around almost all of the restrictions on <input > type='file'> without breaking security. You just create GUI facades > with span styles. This can allow you to actually make a person think > they are uploading a file when in fact they are just sending the file > name to the server, etc. This is also used to insert images in the > place of file upload browser based buttons.
afaik, Eddie's right. Last time we kicked this around on an HTML discussion forum, we couldn't find a way to obscure, in any way, the actual file "browse" button. There's been significant changes in all the major browsers since then, so things could have changed, but I would doubt any such changes are intentional. If you overlay the browse button with an image, the button doesn't receive the onClick event. There is no way for any other control to click the button programmatically. Similarly, you can overlay the actual filename box, but nothing is permitted to programmatically change the contents of the filename. Yes, you can make it look as if you upload a file while sending just the name (other than by just leaving off the "enctype" attribute) - it's possible to read the contents of the filename box and change another object's value - you just can't write to the filename. You should, however, be able to programmatically submit the form, once the user has filled in the filename, so you can stick an image over that button (but then you could use an image button directly). -- derek --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
