从< file>获取价值给出C：\ fakepath \ filename，即使在Linux中也是如此 [英] Getting value from <file> gives C:\fakepath\filename, even in Linux

问题描述

我在Chrome和Opera中从文件输入元素中获得了一些非常奇怪的行为（可能更多，还没有测试过）。

I'm getting some very strange behaviour from a file input element in both Chrome and Opera (possibly more, haven't tested).

我有以下HTML：

I have the following HTML:

<div id="profileImgContainer" class="formFile">
    <label>Profile Picture</label><div>
        <input type="text" id="profileImgText"><input type="button" value="Choose File" id="profileImgButton">
    </div>
    <input type="file" id="profileImg" name="profileImg">
</div>

以下jQuery获取文件输入的值并将其放入（可见）文本框中。

And the following jQuery to get the file input's value and put it in the (visible) textbox. The actual file input is hidden.

$(".formFile input[type='file']").live('change', function()
{
    $(this).parents(".formFile").find("input[type='text']").val($(this).val());
});

我制作了一个JSFiddle供你试用。在Firefox中，文本框愉快地获取文件元素的文件名（不关心路径）。然而，在Chrome和Opera中，当选择文件时，可见文本框中的文件路径变为 C：\ fakepath \ [filename] 其中 [文件名] 是所选文件的名称。这个路径显然是假的，但我想知道的是为什么它改变了它，以及隐藏的上传元素中的文件是否仍然可以正常上传。我猜这是一个安全功能，但我可能是错的。

I've made a JSFiddle for you try out. In Firefox, the text box happily takes the filename (don't care about the path) of the file element. In Chrome and Opera, however, when a file is selected the file path in the visible text box changes to C:\fakepath\[filename] where [filename] is the name of the file chosen. This path is obviously fake but what I want to know is why it's changed to it, and whether the file in the hidden upload element will still upload fine. I'm guessing it's a security feature, but I may be wrong.

推荐答案

这是缓解安全问题的一种尝试通过允许任意的外部代码在您的浏览器中运行：脚本（我们假设可能来自恶意攻击者）无法查看（也可能通过AJAX返回）有关本地文件的信息。

This is one attempt to mitigate the security issues you get from allowing arbitrary foreign code to run in your browser: The script (which we assume could come from a malicious attacker) does not get to see (and possibly communicate back via AJAX) information about your local files.

想象一下，如果脚本可以自由设置文件上传和提交表单，会发生什么情况。

Imagine what could happen if a script could just freely set file uploads and submit forms.

这种关于文件上传控件和脚本的行为是由于这个原因，某种标准（我相信是DOM规范的一部分）授权。

This behaviour concerning file upload controls and scripting is mandated by some sort of standard (I believe part of the DOM specification) for this very reason.

这篇关于从< file>获取价值给出C：\ fakepath \ filename，即使在Linux中也是如此的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！