Description
The <input> element with type="file" enables users to select and upload files from their device storage to a remote server. However, unrestricted file upload functionality can introduce an arbitrary file upload vulnerability, allowing malicious users to upload and potentially execute any file on the server.
Recommendation
To mitigate this risk:
- Implement restrictions on the file types and sizes that users can upload.
- Ensure that uploaded files are stored securely and are not publicly accessible on the web server.