This was brought up at the html-wg meeting in san jose. After a little
more thought, I've come to the conclusion that it is fairly easy to do a
secure implementation.
1. Never have form hidden be able to sepcify a file. Keep along with the
current implmenetations where hidden == text, but not shown.
2. Take the 'value' as the label of the pushbutton, ala submit and reset.
This covers the <input type=file value=/etc/passwd> type of attack.
3. make _damn_ sure your browser never gets installed as setuid root. :)
-Bill P.