Testing a file-type input element

On Tue, 10 Apr 2007 21:43:06 -0700
Ed Jay <ed***@aes-intl.comwrote:

I'm trying to validate a form's file input elements using javascript,
but I'm getting nowhere. How can javascript test if a file has been
selected using a file form input element?

I expect a javascript newsgroup would know.

But any javascript access to filesystem information would be a
gaping security hole in a browser.

--
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Nick Kew scribed:

>On Tue, 10 Apr 2007 21:43:06 -0700
Ed Jay <ed***@aes-intl.comwrote:

>I'm trying to validate a form's file input elements using javascript,
but I'm getting nowhere. How can javascript test if a file has been
selected using a file form input element?

I expect a javascript newsgroup would know.

They didn't respond to the question, so apparently, they don't know.

I'll rephrase the question: How can one client side test whether or not a
file has been selected using the file input element?

>
But any javascript access to filesystem information would be a
gaping security hole in a browser.

I'm not sure it's involuntarily accessing the file system. The user selects
a filename...I would think there's some client-side manner to ascertain what
the filename selected is, or whether one was selected at all. It's trivial
to do it serverside.
--
Ed Jay (remove 'M' to respond by email)

Ed Jay <ed***@aes-intl.comwrites:

I'm not sure it's involuntarily accessing the file system. The user selects
a filename...I would think there's some client-side manner to ascertain what
the filename selected is, or whether one was selected at all. It's trivial
to do it serverside.

That's not necessarily true. The web browser sends a comment that
usually looks somewhat like a filename, yes, but it needn't be the
filename that the file had on the user's filesystem (indeed, in some
cases with automated HTTP requests, the file may never actually exist
on any filesystem).

Certainly major browsers differ in whether the full filesystem path is
sent to the server or not, for example.

As far as client-side security goes:
http://www.securityfocus.com/archive...0/150/threaded
is an interesting bug that involved messing around with browser focus
to get the user to upload a file of your choice to you. Consider how
much easier that would have been to exploit if Javascript had direct
access to the contents of the file field and it's understandable that
browsers generally don't (unfortunately at the time that bug was
reported they hadn't considered that they shouldn't let you focus a
file field either).

--
Chris

Chris Morris scribed:

>Ed Jay <ed***@aes-intl.comwrites:

>I'm not sure it's involuntarily accessing the file system. The user selects
a filename...I would think there's some client-side manner to ascertain what
the filename selected is, or whether one was selected at all. It's trivial
to do it serverside.

That's not necessarily true. The web browser sends a comment that
usually looks somewhat like a filename, yes, but it needn't be the
filename that the file had on the user's filesystem (indeed, in some
cases with automated HTTP requests, the file may never actually exist
on any filesystem).

It's absolutely true in my specific case.

My users focus a camera image on-screen and press a key that takes a
snapshot of the screen and auto-saves the image to a known folder. They can
snap/save from one to up to five screens...it's arbitrary. The user is given
'n' file input elements and asked to select the files for uploading.
Example: The user snaps/saves three screens, so three file input elements
are printed. When the user is finished, he presses a button and the form is
submitted to a server side script (CGI) that uploads the files. The issue
may arise when the user inadvertently submits the form without selecting all
files for uploading.

I can test for an empty file form element name at the server side script,
but I want to do it client side, before the form is submitted to the server.

>
Certainly major browsers differ in whether the full filesystem path is
sent to the server or not, for example.

Irrelevant, or at least unimportant in my specific case.

>
As far as client-side security goes:
http://www.securityfocus.com/archive...0/150/threaded
is an interesting bug that involved messing around with browser focus
to get the user to upload a file of your choice to you. Consider how
much easier that would have been to exploit if Javascript had direct
access to the contents of the file field and it's understandable that
browsers generally don't (unfortunately at the time that bug was
reported they hadn't considered that they shouldn't let you focus a
file field either).

--
Ed Jay (remove 'M' to respond by email)

Scripsit Ed Jay:

>I expect a javascript newsgroup would know.

They didn't respond to the question, so apparently, they don't know.

You didn't get an answer that you liked, so you moved to a group where the
question is surely off-topic and didn't even tell about having asked
elsewhere. Do you want to get plonked?

I'll rephrase the question: How can one client side test whether or
not a file has been selected using the file input element?

It's still off-topic here.

--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/

Jukka K. Korpela scribed:

>Scripsit Ed Jay:

>>I expect a javascript newsgroup would know.

They didn't respond to the question, so apparently, they don't know.

You didn't get an answer that you liked

What part of 'they didn't respond' do you not understand?

>, so you moved to a group where the
question is surely off-topic and didn't even tell about having asked
elsewhere. Do you want to get plonked?

If your post is an indication of how you typically respond...without
answering the question, but castigating instead...please feel free to plonk
me.

>

>I'll rephrase the question: How can one client side test whether or
not a file has been selected using the file input element?

It's still off-topic here.

I disagree. I was asking about a specific HTML element, no?

At any rate, you answered my question in
<http://www.cs.tut.fi/~jkorpela/forms/file.html>. Thanks.
--
Ed Jay (remove 'M' to respond by email)

Ed Jay wrote:

I disagree. I was asking about a specific HTML element, no?

No. You were asking about how to write JavaScript.