The "accept" attribute, basically only serves to filter the file selection dialog box to show only valid formats. But there is nothing stopping the user from selecting an invalid one. This type of validation should always be done server side.

It limits what the dialog shows. But it can easily be overridden.

BTW, it works for me on FF and Chrome on Windows and Ubuntu. And IE on Windows to filter the files.

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

FF still shows 'all files' as default, but it does have the filter as a drop down selection.

I was hoping to only have to check file type once client side, but it seems the shim I'm using isn't working with the options argument (though I may be passing it incorrectly), and now even those that do handle the HTML 5 attribute, don't actually lock down the file type.

Bit odd as the attribute is called 'accept' not 'filter'.

Oh well, looks like I still need to code client side validation on top of this attribute as well as the usual defensive server side coding.

Thanks for the clarification Phil, appreciated.

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music

Quote:

I was hoping to only have to check file type once client side

Oooh no, dangerous client side that check is.

But seriously not checking server side, preferably by content type (MIME) allows such things as filename.php.jpg or filename.pl.png to be uploaded which will execute as PHP and Perl scripts respectively.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

I think you miss-read what I meant.

I was hoping HTML5 'accept' would prevent invalid files being submitted and then I only need the usual server side checking.

It seems I still need to write stuff client side as well as server side.

I wasn't implying I only wanted to do it once on the client side leaving the web service vulnerable!

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music

There's not much you can do client side with a File input as there is no access to the input itself through JS (not sure if jquery offers anything, doubt it though) for security reasons.

Basically there's no way to know what the user is submitting until it reaches the server.

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech