W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] The problem of duplicate ID as a security issue

From: Alexey Feldgendler <alexey@feldgendler.ru>
Date: Tue, 14 Mar 2006 18:07:01 +0600
Message-ID: <op.s6ejxzzq1h6og4@localhost>
On Tue, 14 Mar 2006 15:13:21 +0600, Ric Hardacre <ric at hardacre.org> wrote:

>> Yes... but there's a need for allowing the parent document control  
>> sandboxed content. Therefore, it needs a new parameter, for example:  
>> getElementById(string id, bool search_in_sandbox). Isn't that changing  
>> the getElementById function? Of course this only a way, it could  
>> probably be done differently, without changing the function(s).

> perhaps:
>
> <body>
> <div id="id">
> 	DIV1
> </div>
> <sandbox id="mysandbox" >
> 	<div id="id">
> 		DIV2
> 	</div>
> </sandbox>
> </body>
>
> from outside the sandbox:
>
> e = document.getElementById( "id" );
> //e = DIV1
>
> eMSB = document.getElementById( "mysandbox" )
> e = eMSB.getElementById( "id" );
> //e = DIV2
>
> from within the sandbox:
>
> var e = document.getElementById( "id" );
> //e = DIV2

That's exactly what I meant.


-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]  
<alexey at feldgendler.ru>
Received on Tuesday, 14 March 2006 04:07:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC