[whatwg] Review of the 3.16 section and the HTMLInputElement interface

[Ian Hickson]

On Mon, 17 Nov 2008, Samuel Santos wrote:
> On Wed, Nov 12, 2008 at 12:14 AM, Ian Hickson <ian at hixie.ch> wrote:
> > On Tue, 11 Nov 2008, Samuel Santos wrote:
> > > >> On Thu, 6 Nov 2008, Samuel Santos wrote:
> > > >> >
> > > >> > If changing the button text can be a security issue (e.g. 
> > > >> > induce the user to an action that he's not aware of), we can 
> > > >> > come up with some solutions.
> > > >> >
> > > >> > What about allowing the Author to change the control's locale? 
> > > >> > By doing so, the UA can then render the button with the same 
> > > >> > locale as the application without compromising the security.
> > > >>
> > > >> It seems like browsers should do this already based on the 
> > > >> lang="" attribute. I recommend asking browser vendors to 
> > > >> implement this.
> > > >
> > > > @lang will definitively fix the problem if browsers are willing to 
> > > > implement it.
> > >
> > > Ian, can I ask you to please check this with browser vendors?
> >
> > I don't think the problem is worth fixing, so I'm probably not the 
> > best person to convince them. :-)
> 
> Ian, I've find it really hard to convince someone from english speaking 
> countries that this is an issue. But it really is. As is the limitation 
> of decoration of this control.

As I noted above, I recommend asking browser vendors to implement this.


> What I'm really trying here is to have a valid option in HTML5 so we don't
> have to rely on techniques like these:
> - http://swfupload.org/
> - http://www.quirksmode.org/dom/inputfile.html

This is a security nightmare waiting to happen -- I'm surprised browsers 
let you even change the opacity.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'