O'Reilly

File Uploads and C:\fakepath\

By on  

I was recently working on a project that required providing an AJAX uploading widget to users. I decided to use Dojo's dojox.form.FileInput widget so the "Upload" button would look just like every other button within the web application. Everything worked great until I tested the widget in Chrome and found that the value of the input node was being set to C:\fakepath\{Original File Name}. I then checked Internet Explorer and Safari; both of them were prepending "C:\fakepath" to the file name. WTF?!

After doing some research, I found this blog post, which explained:

According to the specifications of HTML5, a file upload control should not reveal the real local path to the file you have selected, if you manipulate its value string with JavaScript. Instead, the string that is returned by the script, which handles the file information is C:\fakepath.

This requirement is already implemented in Internet Explorer 8 – the real path to the file will be shown only if the page that contains the control is added to the trusted sites collection of the browser.

That made sense; essentially the browser is feeding that lame C:\fakepath\ text in. Luckily all I needed to do was fix the issue by doing a simple string replace call:

// Change the node's value by removing the fake path
inputNode.value = fileInput.value.replace("C:\\fakepath\\", "");

Whew -- dodged a bullet there. Just wanted to post this for everyone in case you run into it in the future.

O'Reilly Velocity Conference
Save 20% with discount code AFF20

Recent Features

  • LightFace:  Facebook Lightbox for MooTools

    One of the web components I've always loved has been Facebook's modal dialog.  This "lightbox" isn't like others:  no dark overlay, no obnoxious animating to size, and it doesn't try to do "too much."  With Facebook's dialog in mind, I've created LightFace:  a Facebook lightbox...

  • CSS Gradients

    With CSS border-radius, I showed you how CSS can bridge the gap between design and development by adding rounded corners to elements.  CSS gradients are another step in that direction.  Now that CSS gradients are supported in Internet Explorer 8+, Firefox, Safari, and Chrome,...

Incredible Demos

  • background-size Matters

    It's something that makes all men live in fear, and are often uncertain of. It's never spoken, but the curiosity is always there. Nine out of ten women agree in the affirmative. Advertisers do their best to make us feel inadequate but...

  • Sexy Album Art with MooTools or jQuery

    The way that album information displays is usually insanely boring. Music is supposed to be fun and moving, right? Luckily MooTools and jQuery allow us to communicate that creativity on the web. The XHTML A few structure DIVs and the album information. The CSS The CSS...

Discussion

  1. fishbone

    I was always wondering whether the file-upload field is a security problem in general. couldn’t a you theoretically get any file from the client’s computer by manipulating the form-field’s value? But I’ve been too lazy to verify this…

  2. Martin

    Came across this exact same thing about a day before this post! Confused me at first too :)

  3. Martijn


    document.getElementById("fileInput").files[0].fileName;

    this returns the real filename without the ‘C:\fakepath\’.

    this also works for:

    document.getElementById("fileInput").files[0].fileSize;

    this returns the filesize in bytes ;)

    • Goulart

      Martinjn,
      Could you help me? With your code the “C\fakepath” don’t show anymore. But the file update is name on BD but won’t upload.


      <input id="fakeupload" name="fakeupload[]" class="inputfile fakeupload" type="text" />
      <input id="path" name="path[]" class="inputfile realupload" type="file" value="" onchange="javascript:document.getElementById('fakeupload').value = document.getElementById('path')value;" />

  4. Arnold

    Hi there, could you help me with how to implement this on a form what has the input file?

    // Change the node's value by removing the fake path
    inputNode.value = fileInput.value.replace("C:\\fakepath\\", "");
    

    I get confuse. Thanks.

  5. Goulart

    How do I use the .files[0].fileSize in the code below?

    <input id="fakeupload" name="fakeupload[]" class="inputfile fakeupload" type="text" />
    <input id="path" name="path[]" class="inputfile realupload" type="file" value="" onchange="javascript:document.getElementById('fakeupload').value = document.getElementById('path').value;" />

    Tks!

  6. genius
    document.getElementById("fileInput").files[0].fileName;

    does not work but

    document.getElementById("fileInput").files[0].name;

    Works!

    There is no need to use this

    inputNode.value = fileInput.value.replace(“C:\\fakepath\\”, “”);

    to replace the fakepath with empty string
    as it may not work on all machines! as the path may be machine specific.

    Instead use this document.getElementById("fileInput").files[0].name; to get the file name with out any extra string attached in the beginning. it will return only the file name.
    In my case i used $("#uploadFile")[0].files[0].name and it worked on html5 enabled safari browser as well!

    • ranggadablues

      thank dude
      this document.getElementById(“fileInput”).files[0].name; works great!!!

  7. Scott

    I’ve tried using javascript:

    inputNode.value = newValue;

    jQuery (change event on file input element):

    $(this).attr("value", newValue);

    In the latest firefox and chrome, both throw a security error and refuse to display the new value (ie, replace the fakepath crap).

    Is there a way to change the display to get rid of fakepath that actually works?

  8. Thanks David. I also confused with it.

  9. Hello,

    I use the object FileReader on the input onchange event the your input file type !
    ex :

    var input = document.getElementById("inputFile");
    var fReader = new FileReader();
    fReader.readAsDataURL(input.files[0]);
    fReader.onloadend = function(event){
    var img = document.getElementById("yourImgTag");
    
    img.src = event.target.result;
    }
    
  10. Don’t really care about what it shows, main thing is functionality

  11. Hi,

    I was trying to follow up an exercise in the book “Developing Backbone.js Applications”.
    Your post helped me out with image path turned into C:\\fakepath\\.

    This is what I did.

    } else if ( el.id === 'coverImage' ){
    
    					formData[ el.id ] = $( el ).val().replace("C:\\fakepath\\", "../img/");
    					console.log( formData[ el.id ] );
    
    
    				} else {
    					formData[ el.id ] = $( el ).val();
                    }
    
    				}
    
    
  12. Noriel

    Good thing I found this blog! I was freaking worried about that.. lol

  13. Christopher Jimenez

    in Version 31.0.1650.57 this
    document.getElementById(“fileInput”).files[0].fileName;
    changes to
    document.getElementById(“fileInput”).files[0].name;

  14. Thanks you very much, that solved my problem…. :)
    the results of my javascript on page :

    document.getElementById("archivo").onchange = function () {
    document.getElementById("uploadFile").value = this.value;
    document.getElementById("uploadfile").files[0].fileName;
    

    i dont know if theres something repeated but it worked.

  15. Josh

    if there are multiupload, it’s works well

    $("input[name='attach']").each(function(){
    	var files = $(this).val();
    	var tmpArray = files.split("\\");
    	files = tmpArray[tmpArray.length-1];   //get the last item in tmpArray 
    });
    
    • Vinod
      document.getElementById("uploadFile").value = this.value;

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!

Recently on David Walsh Blog

  • Open Files from Command Line on OS X

    I'm as much of a fan of application UIs as anyone else but I'm finding myself working more and more from the command line lately.  Much of that is becoming obsessed with media manipulation but I'm forcing myself to use less UIs so that I...

  • Get Stock Quotes From Command Line

    When I conned my way into my first professional programming gig, I didn't really think much about money -- just that I was getting my foot in the door.  But as my career has gone on, I've been more aware of money, investing, and retirement.  I've recently...

  • Geolocation API

    One interesting aspect of web development is geolocation; where is your user viewing your website from? You can base your language locale on that data or show certain products in your store based on the user's location. Let's examine how you can...

  • Create an Image Preview from a Video

    Visuals are everything when it comes to media.  When I'm trying to decide whether to watch a video on Netflix, it would be awesome to see a trailer of some kind, but alas that isn't available.  When I'm looking to download a video on my computer,...

  • New:  Webdesigner News!

    A new and exciting website has recently been launched for web designers and developers. You likely spend hours every morning browsing through hundreds of posts on your RSS feeds, hoping to stumble across relevant stories. Webdesigner News was built to provide web designers and developers with...