The file can BE a valid file.. let's say I send up a very nice GIF but give it a filename of javascript:evilstuff()" ALT="foo.gif The "extension" when it looks at it, is .gif, right, fine, that's good. Is it really a GIF that I got uploaded? It is? Right, fine, that's good. That's one part of the problem, the other part is that if the filename includes spaces, e.g. Pic of my dog.jpg Then, the spaces do not get URL-encoded, because, to LINK to a file like that, in an HREF, you need to do: Pic%20of%20my%20dog.jpg HREF objects can't have spaces in them, because it must contain a URL, and a URL cannot contain whitespace (or any other special character for that matter). That's what tipped me off to this is that I saw a page on another person's w3t board where the image filename had spaces and netscape users couldn't download it because their browser (obeying the standard) was very confused. The issue with spaces is mildly easy because people expect it, but if I was to send a filename of "Derek?Susan?.jpg", that would cause some serious issues for some browsers, I reckon, even though it is a perfectly legitimate FILENAME. D
