steps to reproduce

run the attached file fileupload-clientside-override.zul
try to upload files larger 1KB ... upload fails exceeding limit (OK)
press the button

actual result

uploading files up to 1MB are possible after manipulating the client side widget

expected result

even when manipulating the client side the server side should still reject files above the configured limit

debug info

when initiating the upload the client sends the max size to the server, which should not be necessary, this information is available at server side anyway (there's no need to send it to the server)

upload?uuid=fS3Q1&dtid=z_j4d&sid=0&maxsize=1024
dropupload?uuid=fS3Q6&dtid=z_j4d&maxsize=1024&native=false

root cause

the max size param sent from the client side is used without further checking (instead of using the value present at server side)
https://github.com/zkoss/zk/blob/078307514bfda61f759a051203530df201006b89/zk/src/org/zkoss/zk/au/http/AuUploader.java#L421-L427
https://github.com/zkoss/zk/blob/078307514bfda61f759a051203530df201006b89/zk/src/org/zkoss/zk/au/http/AuDropUploader.java#L326-L333