HTML and Javascript: getting full directory pathname using input file

Question

From my research, I know that I cannot use HTML input file to get the directory pathname. However, I tried an alternative method where I store the value of the input file into a hidden field and pass the stored value to my back end codes for further processing. Javascript code:

<script type="text/javascript">
function folder_address()
{
    var address=document.getElementById('folder_address');
    var folder=document.getElementById('folder');
    folder.value=address.value;
}
</script>

HTML code:

<input type="file" id="folder_address" name="folder_address" />
<input type="hidden" id="folder" name="folder" />

However, I still get folder.value as the file that I selected and not the full directory pathname of the file. Did I miss out anything?

Answer 1

This behavior isn't meant to be circumvented. Even if you could find a loophole using script/additional fields, the loophole would likely be removed in the future.

I would strongly suggest a design that does not rely on knowing the local path which the user has selected.

It would be a security flaw to reveal a user's directory structure to the server (think c:\users\tmedora in Windows; now you know my user name). In addition, file systems can format paths differently and users are free to name/rename directories as they wish. I'm not sure what value a full path would have to the server. Unless you are in an extremely controlled environment, you have no guarantee that you will even be able to parse the path, let alone count on it containing consistent information.

The W3 specifically states that including the full path is a security vulnerability and requires that user agents prepend the string c:\fakepath\ to file paths.

Some legacy user agents actually included the full path (which was a security vulnerability).

Also see IE Gives full path, FF gives only filename (or directory browse) and How to get the full path of the file from a file input and many others.