PRB: Cannot Use Script to Manipulate INPUT TYPE=File Value

If you use an INPUT TYPE=File element in an HTML FORM element, you cannot set a file name programmatically, regardless if you use script or set the VALUE property of the INPUT element to a default value.

Because INPUT TYPE=File allows arbitrary files to be uploaded from a user's computer to a remote server, setting this field programmatically is considered a security risk and is not supported.

Uploading content from a user's computer without his or her knowledge is contrary to the security paradigms of Web development. The user should be informed whenever content is going to be transferred off their computer, and the user should be given every opportunity to control or cancel the operation.

If you require such functionality in your Web-based application, use an ActiveX control that is marked unsafe for scripting and/or unsafe for initialization. (The author of the control is responsible for telling users that the control is unsafe because, by definition, uploading files are unsafe. You can sign the control to ask users to trust your control.)

Steps to Reproduce Behavior

1. In any text editor, create the following HTML file, and save the file as TestFileSubmit.htm:

   <HTML>
   
   <HEAD>
   <TITLE>Automating Input=File Dialog Boxes</TITLE>
   
   <SCRIPT>
   
   function load() {
   	frm1.file1.value = "C:\config.sys";
   }
   
   </SCRIPT>
   
   </HEAD>
   
   <BODY bgcolor="#ffffff">
   
   <FORM name="frm1" action="/post.asp" METHOD="POST" 
   
   ENCTYPE="multipart/form-data">
   <INPUT type="File" name="file1" value="c:\boot.ini"></INPUT>
   </FORM>
   
   
   </BODY>
   
   </HTML>
   					

2. In Internet Explorer 4.x or 5.x, load the page. Notice that none of the values that are assigned to the INPUT TYPE=File element appear in the Edit box.

For more information about developing Web-based solutions for Microsoft Internet Explorer, visit the following Microsoft Web sites: