Yes; I'm assuming you're using some sort of scripting language to receive and 'do something' with the files, so you could always limit the filename or simply change the filename from whatever the user chooses to 'example.xml' in your receiving script. I don't know of a method to force 'example.xml' to be the only file shown in the directory browser view, that's something I would think would be a limitation of the user's web browser.

you should do some checking in your form action script but you could also do some client-side testing by using the onchange or onsubmit javascript event handlers.

Exactly. Always a good idea to give the user some feedback with some client-side code before beginning a server transaction.

You can only do this in the program compiling the application - for example, write a VB program that uses a dialog, and you can set the file types in "file types" drop down. You can probably do it in C and Java as well, and .asp/aspx will have handles to modify the "open" dialog.

However, you have to consider this really isn't the root of your problem. What's to stop me from creating a virus and naming it innocent-spreadsheet.xml?

The answer will rely in server-side validation of the actual data. I don't mean check that the extension is /\.xml$/i, a method of opening the file to read the headers and determine if it really is an xml file. I use similar methods with images combined with ImageMagick/Imagic. It doesn't matter what the extension is or even if it has one, it check the file type and if it's not one of my supported ones, error out.

In fact, I just checked - although it doesn't directly support XML, XML is inherently a text file, and and ImageMagick will return a text file type, which is half the battle.

This is a bit of overkill if you don't use Imagemagick for anything else, so you could simply open the XML file and examine the first few lines for the prooer headers and data formats. IF not found, error out.

I'm aware that people could still upload other files and I have server side validation (php) in place to check for this.

I just wanted to make it easier for users to find the file needed by blocking/hiding all others.

I found a solution. I came across a jquery/flash uploader script that allows me to limit the file name and extension so only files by a certain name are displayed in the file browser.

Thanks!