1

I am trying to upload a file using the following script 

<form name="multiform" id="multiform" method="post" enctype="multipart/form-data" >
<input type="file" size="60" accept="text/plain" id="myfileId" name="myfile"/><br/><br/>
<input type="button" value="Upload File" onclick="submitForm();" /></form>
</body></html>

I have noticed that file attribute is having file name along with full path.

POST /xxx/yyy?uploaddata=1 HTTP/1.1
Host: abc.def.com
:
:
Content-Type: multipart/form-data; boundary=---------------------------22966874711757
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-----------------------------22966874711757
Content-Disposition: form-data; name="myfile"; filename="**C:\my\file\path\TestFile.txt**"
Content-Type: text/plain

-- ………

I have tried

  1. I have tried it by disabling "Include local directory path when uploading files to a server” But it does not work with multipart
  2. I have gone through "https://stackoverflow.com/a/20537822/588079" but I am sure how to use this in my HTML form

How to resolve this problem so that file upload works for any kind of browser?

Community
  • 1
  • 1
dgm
  • 2,287
  • 1
  • 23
  • 27

1 Answers1

2

Disabling "Include local directory path when uploading files to a server" really should work (I tested and verified also in IE10 and IE11). Did you restart IE (as in close all IE windows, or for the heck of it, restart your computer entirely)?
I usually only hear of this 'problem' for the "local internet zone" (where this option is normally enabled by default for backward compatibility for intranet applications), so make sure you change this setting for the appropriate zone!

IE Security settings

You don't describe what problem this behavior leads to in your server-side app, but assuming that your server-side file-upload handler is yours to modify (contrary to some 'black-box' program):
the idea is to remember that you'll receive filenames with and without path so you should find the last index of an / or \ character and discard everything up to and including that character (which might lead to an empty string, as ultimately, you shouldn't trust any user provided input (they can manually create/hack a request header)).

My canonical answer that you already read has an example of this in javascript and some further info you might want to re-read.

So, if the server-side receiving code is not under your control, you're left with posting a bug to what ever you are using and hope for a quick update/patch/fix.

Community
  • 1
  • 1
GitaarLAB
  • 14,536
  • 11
  • 60
  • 80
  • This is where one can locate this setting in IE 11. Internet Options -> Security -> Internet zone -> Custom level -> Include local directory path when uploading files to a server – Zaki Aug 25 '21 at 10:07