File upload control issues with ASP.NET (playing with fire)
Date: 01/03/06
(C Sharp) Keywords: html, asp, security, web
Heya all,
I'm working on a web-based application (using ASP.NET and C# on .NET 1.1.4322, supporting only IE6 for Windows) that allows for file uploads. It seems to be a universally agreed that the file upload control is as ugly as they come, so I want to set its style to "display: none;" and interact only with the standard file upload dialog (which can be summoned by firing the click() method of the control, which is exposed under IE6 but not recent versions of Mozilla).
Attempting programmatic access of a file upload control is generally playing with fire, and this time is apparently no exception. Once I call the click() method, it seems, the page is no longer able to post back. When I attempt to submit the form, the value of the file upload control is cleared and the page just sits there. However, if I make the file upload control visible and manually click its "Browse..." button, the page posts back correctly.
For those of you familiar with Gmail's attachment upload interface, this is very close to the effect I am trying to achieve, but something about ASP.NET is apparently interfering (perhaps for my own protection) with the process. Has anybody experienced similar behavior under the same platform, and if so, explain the behavior or point to a KB article or security documentation that might be enlightening ?
Thanks greatly for your time. Toy code can be found after the cut.
Codeahead:
<%@ Page language="c#" Codebehind="Foo.aspx.cs" AutoEventWireup="false" Inherits="FooApp.Foo" %>
Codebehind:
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
namespace FooApp
{
public class Foo : System.Web.UI.Page
{
protected HtmlInputFile f;
protected HtmlGenericControl s;
private void Page_Load(object sender, System.EventArgs e)
{
if (this.IsPostBack)
{
s.InnerText = String.Format("{0} file(s) posted", Request.Files.Count);
if (1 == Request.Files.Count) { s.InnerText += String.Format(", content length: {0}", Request.Files[0].ContentLength); }
}
}
override protected void OnInit(EventArgs e)
{
InitializeComponent();
base.OnInit(e);
}
private void InitializeComponent()
{
this.Load += new System.EventHandler(this.Page_Load);
}
}
}
Source: http://community.livejournal.com/csharp/45787.html