[whatwg] The problem of duplicate ID as a security issue

* Alexey Feldgendler wrote:
>This kind of attack is hard to circumvent through use of HTML cleaners  
>because id="addtomemories" looks like an innocent attribute, like an  
>anchor for navigation. Preventing such attacks by a HTML cleaner would  
>require either making a full list of all "forbidden" IDs, class names etc,  
>or imposing Draconian rules upon user-supplied content, completely  
>disallowing such useful attributes like id and class.

A full list of all forbidden IDs would be as simple as /^acme-/ which
would already be necessary to ensure conforming content.
-- 
Bj?rn H?hrmann ? mailto:bjoern at hoehrmann.de ? http://bjoern.hoehrmann.de
Weinh. Str. 22 ? Telefon: +49(0)621/4309674 ? http://www.bjoernsworld.de
68309 Mannheim ? PGP Pub. KeyID: 0xA4357E78 ? http://www.websitedev.de/ 

Received on Thursday, 9 March 2006 23:21:36 UTC