Skip to content

Fixes for FileUpload component#338

Merged
csharpfritz merged 9 commits intoFritzAndFriends:devfrom
csharpfritz:copilot/fix-334-fileupload-component
Feb 10, 2026
Merged

Fixes for FileUpload component#338
csharpfritz merged 9 commits intoFritzAndFriends:devfrom
csharpfritz:copilot/fix-334-fileupload-component

Conversation

@csharpfritz
Copy link
Collaborator

No description provided.

Copilot AI and others added 9 commits February 9, 2026 17:09
Co-authored-by: csharpfritz <78577+csharpfritz@users.noreply.github.com>
Co-authored-by: csharpfritz <78577+csharpfritz@users.noreply.github.com>
Co-authored-by: csharpfritz <78577+csharpfritz@users.noreply.github.com>
Session: 2026-02-10-sprint1-kickoff
Requested by: Jeffrey T. Fritz

Changes:
- logged session to .ai-team/log/2026-02-10-sprint1-kickoff.md
- merged 6 decisions from inbox into decisions.md
- deduplicated CalendarSelectionMode decisions (Forge + Cyclops consolidated)
- propagated updates to agent history files (cyclops, jubilee, beast, forge, rogue)
- deleted processed inbox files
…ritzAndFriends#335)

SHIP-BLOCKING BUG FIX: The @onchange binding on <input type='file'> received
ChangeEventArgs (no file data), NOT InputFileChangeEventArgs. This meant
_currentFile was NEVER populated and HasFile always returned false.

Changes:
- Replace raw <input type='file'> with Blazor's InputFile component
- OnFileChangeInternal now receives InputFileChangeEventArgs with IBrowserFile
- _currentFile and _currentFiles properly populated on file selection
- HasFile, FileName, FileBytes, FileContent, PostedFile all work correctly
- SaveAs() uses Path.GetFileName() to prevent rooted path injection
- SaveAllFiles() validates resolved path stays within target directory
- _currentFiles is now readonly (security scan fix)
- Added HasFiles (plural) property for multi-file detection (Web Forms API)
- Removed unused IJSRuntime injection and ElementReference
- Updated docs to reflect InputFile usage and HasFiles property
// Sanitize: ensure the filename cannot escape the intended directory
var safeFileName = Path.GetFileName(filename);
var directory = Path.GetDirectoryName(filename);
var safePath = string.IsNullOrEmpty(directory) ? safeFileName : Path.Combine(directory, safeFileName);

Check notice

Code scanning / CodeQL

Call to 'System.IO.Path.Combine' may silently drop its earlier arguments Note

Call to 'System.IO.Path.Combine' may silently drop its earlier arguments.
// Sanitize filename to prevent directory traversal attacks
var safeFileName = Path.GetFileName(file.Name);
var path = Path.Combine(directory, safeFileName);
var fullPath = Path.GetFullPath(Path.Combine(directory, safeFileName));

Check notice

Code scanning / CodeQL

Call to 'System.IO.Path.Combine' may silently drop its earlier arguments Note

Call to 'System.IO.Path.Combine' may silently drop its earlier arguments.
// Sanitize: ensure the filename cannot escape the intended directory
var safeFileName = Path.GetFileName(filename);
var directory = Path.GetDirectoryName(filename);
var safePath = string.IsNullOrEmpty(directory) ? safeFileName : Path.Combine(directory, safeFileName);

Check notice

Code scanning / CodeQL

Call to 'System.IO.Path.Combine' may silently drop its earlier arguments Note

Call to 'System.IO.Path.Combine' may silently drop its earlier arguments.
@csharpfritz csharpfritz merged commit 14d261a into FritzAndFriends:dev Feb 10, 2026
4 checks passed
@csharpfritz csharpfritz deleted the copilot/fix-334-fileupload-component branch February 10, 2026 16:50
csharpfritz added a commit to csharpfritz/BlazorWebFormsComponents that referenced this pull request Feb 10, 2026
…Friends#338 merge

The FileUpload PR (FritzAndFriends#338) inadvertently reverted Sprint 1 gate review
entries from agent histories (beast, cyclops, forge, jubilee, rogue)
and downgraded the FileUpload InputFile decision in decisions.md.

Restored from commit f85aa42 (docs(ai-team): Sprint 1 gate review results).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants