A full disclosure post today had an exploit that used javascript in browsers to selectively "steal" keystrokes from the user typing and channeling it into the file upload field.  So as long as you type enough they could make you as well type the filename they were after.

While this attack needs more to become a bit effective (like making the user type the needed letters), it does show the dangers of running javascript once again. Your best choice if you use e.g. FireFox is to use something like Noscript. It allows you to turn javascript off by default and turn it on as needed for selected sites (those where the webmaster doesn't care for users not wanting to expose themselves to randomly downloaded executable content)

Aparently both Firefox and MSIE suffer from this.

--
Swa Frantzen - Section66