Michal Zalewski schrieb:
This probably explains why the core of the problem wasn't fixed for Firefox: reports were repeatedly reduced to an issue with hiding file input fields by manipulating opacity or visibility (in my example, I placed the box off-screen to the left, at negative absolute coords, instead). A proper solution would be to restrict the ability for scripts to manipulate focus and read contents of file input fields, instead.
A proper solution would be to keep a list of files explicitly selected by the user and only allow uploads of files in this list. Then even if a script can manipulate the field, the browser won't upload files that have not been selected by the user.
Claus
