GXT 3.x only.
Could someone analyse and explain the connection between the three private fields in FileUploadField?
Specifically,
If you could answer the above questions, you should be able to answer this one ... (but please don't answer this question if you do not provide answers to the above two questions). Is the following statement true, somewhat true or incidental?
EDIT
OK, never mind item 2: fileinput value is transferred to text input at onChange method.
There is none. There is a <input type=file> painted invisibly over top of the 'real' button. When you click on this, the dialog comes up - the click 'hit's the <input type=file> instead of the button, but onBrowserEvent tells the button to behave like it was clicked anyway. As far as I'm aware, this is the only way to gain access to the file system (i.e. the "Choose a file") provided by the browser (at least that supports browsers without the new file api, or flash or another plugin).
The <input type=file> exposes access to the name (which may or may not be complete or even real) to the javascript on the page. This is, as you note, available in a DOM change event from the input itself. Only the file name is available (again, without the file api), and it might have a fake path (i.e. IE) or no path (everyone else).
This is not a security concern that GXT has anything to do with - instead the rube-goldberg layout of the dom of the field is to deal with the browser's security limitations. Using private on the <input> is just making it clear that you shouldn't be access it directly, and does nothing meaningful to prevent you from reading it. If you subclass this, go after getFileInput(), otherwise, use JSNI and the so-called violator pattern to grab a reference to the file field or that method.
Yep - this isn't about security, this is about writing maintainable code. See also https://stackoverflow.com/a/2954949/860630.