Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

PRB: Cannot Use Script to Manipulate INPUT TYPE=File Value


View products that this article applies to.

Symptoms

If you use an INPUT TYPE=File element in an HTML FORM element, you cannot set a file name programmatically, regardless if you use script or set the VALUE property of the INPUT element to a default value.

↑ Back to the top


Cause

Because INPUT TYPE=File allows arbitrary files to be uploaded from a user's computer to a remote server, setting this field programmatically is considered a security risk and is not supported.

↑ Back to the top


Resolution

Uploading content from a user's computer without his or her knowledge is contrary to the security paradigms of Web development. The user should be informed whenever content is going to be transferred off their computer, and the user should be given every opportunity to control or cancel the operation.

If you require such functionality in your Web-based application, use an ActiveX control that is marked unsafe for scripting and/or unsafe for initialization. (The author of the control is responsible for telling users that the control is unsafe because, by definition, uploading files are unsafe. You can sign the control to ask users to trust your control.)

↑ Back to the top


More information

Steps to Reproduce Behavior

  1. In any text editor, create the following HTML file, and save the file as TestFileSubmit.htm:
    <HTML>
    
    <HEAD>
    <TITLE>Automating Input=File Dialog Boxes</TITLE>
    
    <SCRIPT>
    
    function load() {
    	frm1.file1.value = "C:\config.sys";
    }
    
    </SCRIPT>
    
    </HEAD>
    
    <BODY bgcolor="#ffffff">
    
    <FORM name="frm1" action="/post.asp" METHOD="POST" 
    
    ENCTYPE="multipart/form-data">
    <INPUT type="File" name="file1" value="c:\boot.ini"></INPUT>
    </FORM>
    
    
    </BODY>
    
    </HTML>
    					
  2. In Internet Explorer 4.x or 5.x, load the page. Notice that none of the values that are assigned to the INPUT TYPE=File element appear in the Edit box.

↑ Back to the top


References

For more information about developing Web-based solutions for Microsoft Internet Explorer, visit the following Microsoft Web sites:

↑ Back to the top


Properties

Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

↑ Back to the top


Keywords: KB266087, kbprb, kbdhtml

↑ Back to the top

Article Info
Article ID : 266087
Revision : 3
Created on : 5/11/2006
Published on : 5/11/2006
Exists online : False
Views : 487