PRB: Cannot Use Script to Manipulate INPUT TYPE=File Value (266087)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 4.0
  • Microsoft Internet Explorer (Programming) 4.01
  • Microsoft Internet Explorer (Programming) 4.01 SP1
  • Microsoft Internet Explorer (Programming) 4.01 SP2
  • Microsoft Internet Explorer (Programming) 5
  • Microsoft Internet Explorer (Programming) 5.01
  • Microsoft Internet Explorer (Programming) 5.01 SP1
  • Microsoft Internet Explorer (Programming) 5.5
This article was previously published under Q266087

SYMPTOMS

If you use an INPUT TYPE=File element in an HTML FORM element, you cannot set a file name programmatically, regardless if you use script or set the VALUE property of the INPUT element to a default value.

CAUSE

Because INPUT TYPE=File allows arbitrary files to be uploaded from a user's computer to a remote server, setting this field programmatically is considered a security risk and is not supported.

RESOLUTION

Uploading content from a user's computer without his or her knowledge is contrary to the security paradigms of Web development. The user should be informed whenever content is going to be transferred off their computer, and the user should be given every opportunity to control or cancel the operation.

If you require such functionality in your Web-based application, use an ActiveX control that is marked unsafe for scripting and/or unsafe for initialization. (The author of the control is responsible for telling users that the control is unsafe because, by definition, uploading files are unsafe. You can sign the control to ask users to trust your control.)

MORE INFORMATION

Steps to Reproduce Behavior

  1. In any text editor, create the following HTML file, and save the file as TestFileSubmit.htm:
    <HTML>

<HEAD>
<TITLE>Automating Input=File Dialog Boxes</TITLE>

<SCRIPT>

function load() {
	frm1.file1.value = "C:\config.sys";
}

</SCRIPT>

</HEAD>

<BODY bgcolor="#ffffff">

<FORM name="frm1" action="/post.asp" METHOD="POST" 

ENCTYPE="multipart/form-data">
<INPUT type="File" name="file1" value="c:\boot.ini"></INPUT>
</FORM>


</BODY>

</HTML>
  2. In Internet Explorer 4.x or 5.x, load the page. Notice that none of the values that are assigned to the INPUT TYPE=File element appear in the Edit box.

REFERENCES

For more information about developing Web-based solutions for Microsoft Internet Explorer, visit the following Microsoft Web sites:

http://msdn.microsoft.com/ie/

http://support.microsoft.com/iep

Modification Type:MajorLast Reviewed:5/11/2006
Keywords:kbDHTML kbprb KB266087
©2004 Microsoft Corporation. All rights reserved.