[whatwg] The problem of duplicate ID as a security issue

On Fri, 10 Mar 2006 13:21:36 +0600, Bjoern Hoehrmann <derhoermi at gmx.net>  
wrote:

> This kind of attack is hard to circumvent through use of HTML cleaners

>> because id="addtomemories" looks like an innocent attribute, like an
>> anchor for navigation. Preventing such attacks by a HTML cleaner would
>> require either making a full list of all "forbidden" IDs, class names  
>> etc, or imposing Draconian rules upon user-supplied content, completely
>> disallowing such useful attributes like id and class.

> A full list of all forbidden IDs would be as simple as /^acme-/

Indeed. But adding a prefix to each ID and/or class name is not an option  
for many mature CMS and other web applications.

> which would already be necessary to ensure conforming content.

Necessary but not sufficient. Duplicate IDs aren't caught by a validating  
parser, so custom code is needed to enforce many of the requirements. For  
example, if one was trying to ensure that all IDs are unique, then the ID  
values within the user-supplied code would have to be checked for  
duplicates among them, too.


-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]  
<alexey at feldgendler.ru>

Received on Sunday, 12 March 2006 23:50:19 UTC