2

I want a form uploads some files to the server but I want it is transparent for user. I have a input tag outside the form which is cloned to the form with cloneNode() [Javascript] every time the user changes its value. The name of the input tag is "files[]". Mozilla Firefox clones the input correctly but IE doesn't copy its value and with IE the inputs inside the form are empty. How can I copy the input field correctly with IE?

A piece of code:

In the Javascript function called when input.onChange:

InputCopy = InputParent.childNodes[i].cloneNode(true);
document.getElementById('divFromForm').appendChild(InputCopy);

The HTML input tag: <input type="file" id="archivoAnadir" name="files[]" onChange="anadir(this.value)">

The PHP request:

foreach ($_FILES["files"]["name"] as $key => $file) {
    $query = "...";
    mysql_query($consulta) or die("...");

    if (!is_uploaded_file( $_FILES["files"]["tmp_name"][$key] )) die("...");
    if (!move_uploaded_file($_FILES["files"]["tmp_name"][$key], "media/" . $file)) die ("..." . $file);
}

Thanks.

ehm
  • 23,789
  • 5
  • 28
  • 31
peterJk
  • 247
  • 1
  • 3
  • 8
  • Could you post the code here? Or at least the relevant parts. It makes the debugging process easier: being able to see the code :] – Atli Jan 17 '10 at 10:15
  • Actually, if it is actually possible to copy an input of `type=file` *including* the value into a form (which is what it seems you're suggesting is possible for firefox), that would be quite a security risk. Please show us the code. – Roland Bouman Jan 17 '10 at 10:27
  • Because of I couldn't modifying "value", I used cloneNode() and appendChild(). I think it isn't a security risk because I am copying a input field which user has changed. I can't change it. – peterJk Jan 17 '10 at 11:00

1 Answers1

2

Edit: Funnily enough, the very same question was asked only a week ago on SO. The comments in the accepted answer provide a good explanation why this can't be done.

I am pretty sure this is not working due to a security restriction, and rightly so.

In my perception, IE generally tends to be more strict with stuff like this, maybe because they've been so badly burned (and had such gaping security holes) in the past.

You could argue that the user did set the value, and copying the element thus should be ok. But this kind of stuff is what back doors for some cross-site-frame-something shenanigans (that work when frame A is in this domain, frame B in that, the user is Male and under thirty, and the Moon is in Virgo) are made of, so I find it understandable that it is forbidden.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088