Prevent a Paste of a Filename in an Input Type=File

[Larry Bud]

I rarely crosspost, but this affects both ASP and Javascript

REALLY odd bug that I ran across in ASP 3.0. I have an input type of
file, user clicks browse, then places his cursor in the filename, puts
a space at the end of the file, and uploads it. Web server doesn't
translate the MIME type of document properly because it doesn't end
with a valid extension, yet the file itself uploads successfully. I'm
using SAFileUP for my uploading component.

So I now return a FALSE in an ONKEYPRESS event, which prevents the
user from entering a space at the end of the file (why he does this is
beyond me, but I'm trying to idiot proof this thing).

Problem is, the ONKEYPRESS doesn't prevent a Paste of a string into
the field, so it's still technically possible to munge the filename.
Blurring the control on a focus or setting it to disabled doesn't work
because it makes the Browse button unfunctional.

Platform: i.e.6.

Any ideas?

 

[dev_jg]

I rarely crosspost, but this affects both ASP and Javascript

REALLY odd bug that I ran across in ASP 3.0. I have an input type of
file, user clicks browse, then places his cursor in the filename, puts
a space at the end of the file, and uploads it. Web server doesn't
translate the MIME type of document properly because it doesn't end
with a valid extension, yet the file itself uploads successfully. I'm
using SAFileUP for my uploading component.

So I now return a FALSE in an ONKEYPRESS event, which prevents the
user from entering a space at the end of the file (why he does this is
beyond me, but I'm trying to idiot proof this thing).

Problem is, the ONKEYPRESS doesn't prevent a Paste of a string into
the field, so it's still technically possible to munge the filename.
Blurring the control on a focus or setting it to disabled doesn't work
because it makes the Browse button unfunctional.

Platform: i.e.6.

Any ideas?

DONT try to do anything wih file upload input field in Javascript,it
may not work (Just Use VB server side code to trim out the spaces in
the filename you get. )

since a malicious JS can upload whatever files it wants, just by
chaning the path in the File upload field,
one cannot change .value on it in JS an i belive there are constraints
on what can be done with key events too.

 

[dev_jg]

DONT try to do anything wih file upload input field in Javascript,it
may not work (Just Use VB server side code to trim out the spaces in
the filename you get. )

since a malicious JS can upload whatever files it wants, just by
chaning the path in the File upload field,
one cannot change .value on it in JS an i belive there are constraints
on what can be done with key events too.- Hide quoted text -

- Show quoted text -

sorry about the previos reply, you cant implement in the way i said,

i forgot that you just get the file stream on ASP end and not the
fileName.

 

[pcx99]

input fields are **READ ONLY** by javascript. That is you can look but
you can not in any way modify the contents or alter the behavior. What
you can do is to do an onSubmit event in your form and check the file
name, if there is anything you don't like about it (trailing spaces for
instance) you can alert the user and disallow the submission.

That's the best you can hope for. Sorry.

 

[Larry Bud]

I rarely crosspost, but this affects both ASP and Javascript

input fields are **READ ONLY** by javascript. That is you can look but
you can not in any way modify the contents or alter the behavior. What
you can do is to do an onSubmit event in your form and check the file
name, if there is anything you don't like about it (trailing spaces for
instance) you can alert the user and disallow the submission.

That's the best you can hope for. Sorry.

Yeah, I realize it's read only, I was just hoping there was a way to
prevent a paste.

But that's what I'm doing, I'm checking for a validly formed filename.

 

[VK]

Yeah, I realize it's read only, I was just hoping there was a way to

prevent a paste.

But that's what I'm doing, I'm checking for a validly formed filename.

You can solve the problem only in radical way: by not letting users to
manually type anything in input. They will have to click "Browse" and
select a real file from dialog. It may be too rude for some
environments, but overall not such a bad idea. See
<http://www.quirksmode.org/dom/inputfile.html>

 

[Evertjan.]

pcx99 wrote on 08 feb 2007 in microsoft.public.inetserver.asp.general:

input fields are **READ ONLY** by javascript. That is you can look but
you can not in any way modify the contents or alter the behavior.

That so? Methinks not!

<input name='q' id='q' value='first'>
<script type='text/javascript'>
var q = document.getElementById('q')
alert(q.value) // read value
q.value = 'second' // overwrite value
</script>

Only <input type='file'> values unaccessable by js, both read and write!

<input name='q' id='q' value='first' type='file'>
<script type='text/javascript'>
var q = document.getElementById('q')
alert(q.value) // blank
q.value = 'second' // no effect

Many ASP scripting is written in J[ava]script! ;-)

 

[Bob Barrows [MVP]]

pcx99 wrote on 08 feb 2007 in microsoft.public.inetserver.asp.general:


That so? Methinks not!

He should have said "input fields whose type is "file" ... "

 

[Evertjan.]

Bob Barrows [MVP] wrote on 08 feb 2007 in
microsoft.public.inetserver.asp.general:

He should have said "input fields whose type is "file" ... "

Even so, as I showed, they are NOT read only, Bob,
as they cannot EVEN be read by clientside javascript.
They, the type-file-input-values, are simply inaccessable.

 

[pcx99]

Clientside javascript has no problems reading the contents of an input
of type file. It will crash your script with a security error if you
attempt to use javascript to change the contents though. The newer
browsers will show only the file name and not the full path (IE7
notably), perhaps the path filters threw out your input as invalid
before the display. Regardless...

<form>
<input type="file" id="ff">
</form>

<button onClick="alert(document.getElementById('ff').value)">Click Me to
read</button>

Will quite merrily show you the contents of the input field provided
there is actually something there.

And Bob is quite right, I should have specified type=file, however it
really didn't occur to me that given the question it would actually need
to be stated. Sometimes the lawyerball in these forums can be quite
maddening.

 

[Evertjan.]

pcx99 wrote on 09 feb 2007 in microsoft.public.inetserver.asp.general:

[Please do not toppost on usenet]

Clientside javascript has no problems reading the contents of an input
of type file. It will crash your script with a security error if you
attempt to use javascript to change the contents though. The newer
browsers will show only the file name and not the full path (IE7
notably), perhaps the path filters threw out your input as invalid
before the display. Regardless...

<form>
<input type="file" id="ff">
</form>

<button onClick="alert(document.getElementById('ff').value)">Click Me
to read</button>
Will quite merrily show you the contents of the input field provided
there is actually something there.

You are right, I did a test that showed otherwise,
[by specifying value='qwerty', but that is in itself faulty]

And Bob is quite right, I should have specified type=file, however it
really didn't occur to me that given the question it would actually
need to be stated.

No, my argument was about the "read only", not the specification per se.

Sometimes the lawyerball in these forums can be quite
maddening.

'lawyerball' what is that? If you want to say something please do not
use local slang.

 

[pcx99]

pcx99 wrote on 09 feb 2007 in microsoft.public.inetserver.asp.general:

[Please do not toppost on usenet]

That is a definition of lawyerball.

'lawyerball' what is that? If you want to say something please do not
use local slang.

As is this.

Consider it thus: Quibbling over inconsequential semantics and requiring
every last word to be strictly, legally defined to accommodate anal
retentive people who are unable to read things in context.

 

[Evertjan.]

pcx99 wrote on 09 feb 2007 in microsoft.public.inetserver.asp.general:

pcx99 wrote on 09 feb 2007 in microsoft.public.inetserver.asp.general:

[Please do not toppost on usenet]

That is a definition of lawyerball.

You don't even seem to know the definition of definition.

As is this.

Consider it thus: Quibbling over inconsequential semantics and requiring
every last word to be strictly, legally defined to accommodate anal
retentive people who are unable to read things in context.

If you are happy arguing about that, so be it.
You must be new on usenet,
expecting to make your own netiquette and
disregarding that these are two international NGs.

 

[Anthony Jones]

pcx99 wrote on 09 feb 2007 in microsoft.public.inetserver.asp.general:

pcx99 wrote on 09 feb 2007 in microsoft.public.inetserver.asp.general:

[Please do not toppost on usenet]

That is a definition of lawyerball.

You don't even seem to know the definition of definition.

As is this.

Consider it thus: Quibbling over inconsequential semantics and requiring
every last word to be strictly, legally defined to accommodate anal
retentive people who are unable to read things in context.

If you are happy arguing about that, so be it.
You must be new on usenet,

Yeah those us who have been around these news groups have just given up
arguing with you about it

 

[Dave Anderson]

The newer browsers will show only the file name and not the
full path (IE7 notably), perhaps the path filters threw out
your input as invalid before the display.

For what it's worth, IE7 still sends the full path with the form submission,
regardless of what it displays.