Revert to previous template::widget::file behavior of accepting input in a form of a list of 3 elements (e.g. without a .tmpfile in the request), but introduce validation so that we enforce all widget values to be in the proper format and the files to be "safe"
Test the behavior of the file-storage when a malicious user would try to store a pre-existing file on the server as its own
The fix for the file-storage is a simple validation to make sure that the tmpfile exists, however, for the generic case of the file widget, we cannot trust the tmpfile value when this was not generated by the server. This will probably cause regression when one wants to show a "preview" of a form, to be continued.