<input type="file"> limit selectable files by extensions [duplicate]

G

4

152

How can someone limit the files that can be selected with the input type="file" element by extensions?

I already know the accept attribute, but in chrome it does limit the files by the last MIME Type defined (in this case "gif") and FF4 does not even limit anything.

<input type="file" accept="image/jpg, image/gif">

Am I doing anything wrong or is there another way?

Gervase answered 26/4, 2011 at 21:14 Comment(0)

L

21

Honestly, the best way to limit files is on the server side. People can spoof file type on the client so taking in the full file name at server transfer time, parsing out the file type, and then returning a message is usually the best bet.

Lionel answered 26/4, 2011 at 21:15 Comment(10)

+1. Also I recommend putting something in your server side code to stop the upload if the received file is too large. – Tubuliflorous 26/4, 2011 at 21:32

thx ... i made it serversided. – Gervase 16/5, 2011 at 22:12

@JoshuaCarmody how do you suggest to do it for large files(2gb and above) on server side? – Infantilism 17/10, 2013 at 4:58

@Allan Depends a lot on the tech. ASP.NET has a "max request size" that you can specify in the Web.config. Writing a handler that reads the request from an input stream and stops after a certain number of bytes is possible in other languages. Really depends on your app. Post a separate question if you'd like more details. – Tubuliflorous 18/10, 2013 at 19:55

+1, but note: this answer is vaguely stale, since the HTML5 File API allows more file work to be done client side. I, for example, am not sending the file upstream, I'm loading the text into a textarea. The fact remains, that the server should be vigilant any time it receives a file. – Kielty 28/4, 2014 at 14:30

I think it's better to do both. Giving the user feedforward about the files that are(n't) selectable, will save some frustrations. Because if the users spends half a minute precisely selecting files he needs, and afterwards finds out it's all for nothing.. The earlier you can tel hem, the better. – Algeria 12/1, 2015 at 8:13

-1. Good suggestion, but the question didn't suggest the files would be uploaded anywhere. It didn't even suggest the presence of a server at all (such as in the case of a fully client-side app). As said already, this answer should be a comment instead. – Jarmon 28/12, 2018 at 16:59

Serverside is good, but also means the file got sent to server already, your wasting time and traffic if you can easily prevent on the client. Better to have some client side validation as well – Rm 15/4, 2019 at 17:34

What if you want to show error before uploading? Checking on server is a must but preventing from client could be good for user experience – Flyleaf 8/9, 2020 at 10:41

Checking on server side is good for security but not for UX so we should have either somehting in front-end that warn user wich file we want and then we confirm in the back. – Sinfonia 6/12, 2022 at 21:33

T

381

Easy way of doing it would be:

<input type="file" accept=".gif,.jpg,.jpeg,.png,.doc,.docx">

Works with all browsers, except IE9. I haven't tested it in IE10+.

Terry answered 4/2, 2014 at 22:59 Comment(11)

accept does not work in Firefox (as of 31.0 and 32.0) – Railey 10/9, 2014 at 7:37

Test in FF 37.0. Works fine!. – Ragged 1/6, 2015 at 15:52

this seems perfectly valid according to the MDN docs – Briquet 10/6, 2015 at 12:30

Under the "accept" of a file input, there can also be a definition of the general type of the files for selection. For example, if you put "image/*" under the "accept" attribute, the limitation will cover all the standard file formats (gif, jpeg and so on) for images and not just the type(s) by extensions. In addition, you can combine the pre-defined type(s) and extensions. For example: "image/*,.swf". For this example, the limitation will include all standard image files AND all ".swf" files. NOTE: the user can always select "All Files" from the type list in the dialog box... ;-) – Matherne 19/4, 2016 at 15:23

This helps to provide some filtering to the file dialog on uploads, but I definitely think this needs to be used in conjunction with a server restriction too. – Takeo 28/6, 2016 at 10:45

tanks ,its work with Firefox 57.0.4 (64-bit) – Abecedary 5/1, 2018 at 7:7

i beliefe the user can forge his own post-method, bypassing your accept. this looks nice at first sight, but safer is always cheking @ serverside – Bloomfield 18/9, 2018 at 15:30

@Bloomfield input check and security should always be implemented on the server side. The accept feature exists only to help users quickly filter relevant files and not having to sift through thousands of irrelevant files. – Contrabandist 7/12, 2020 at 19:12

This answer is better than what is on w3schools, thanks! – Incommunicative 1/4, 2022 at 10:38

This solution will just be a filtering files option only. Incase user select all, user can see all file and select any file user want. – Anchylose 20/7, 2023 at 22:19

accept="image/*" – Pastorale 28/11, 2023 at 17:15

T

30

NOTE: This answer is from 2011. It was a really good answer back then, but as of 2015, native HTML properties are supported by most browsers, so there's (usually) no need to implement such custom logic in JS. See Edi's answer and the docs.

Before the file is uploaded, you can check the file's extension using Javascript, and prevent the form being submitted if it doesn't match. The name of the file to be uploaded is stored in the "value" field of the form element.

Here's a simple example that only allows files that end in ".gif" to be uploaded:

<script type="text/javascript">
    function checkFile() {
        var fileElement = document.getElementById("uploadFile");
        var fileExtension = "";
        if (fileElement.value.lastIndexOf(".") > 0) {
            fileExtension = fileElement.value.substring(fileElement.value.lastIndexOf(".") + 1, fileElement.value.length);
        }
        if (fileExtension.toLowerCase() == "gif") {
            return true;
        }
        else {
            alert("You must select a GIF file for upload");
            return false;
        }
    }
</script>

<form action="upload.aspx" enctype="multipart/form-data" onsubmit="return checkFile();">
    <input name="uploadFile" id="uploadFile" type="file" />

    <input type="submit" />
</form>

However, this method is not foolproof. Sean Haddy is correct that you always want to check on the server side, because users can defeat your Javascript checking by turning off javascript, or editing your code after it arrives in their browser. Definitely check server-side in addition to the client-side check. Also I recommend checking for size server-side too, so that users don't crash your server with a 2 GB file (there's no way that I know of to check file size on the client side without using Flash or a Java applet or something).

However, checking client side before hand using the method I've given here is still useful, because it can prevent mistakes and is a minor deterrent to non-serious mischief.

Tubuliflorous answered 26/4, 2011 at 21:31 Comment(3)

This is the best answer. Even though it's understood that you definitely need to check files properly on the server side, this client side JS check is good for usability - means you can warn the user early of a probable error. – Cutback 25/11, 2013 at 12:31

you're gonna want to have a toLowerCase() in there before the comparison – Zelmazelten 5/12, 2014 at 17:40

With IE You can check the file size using the Scripting.FileSystemObject but you need to allow for unsafe ActiveX in the client browser. So yes there is no "good" way. – Mafalda 27/1, 2017 at 19:14