[whatwg] The problem of duplicate ID as a security issue

On Thu, 16 Mar 2006 18:33:30 +0600, Mihai Sucan <mihai.sucan at gmail.com>  
wrote:

>> A DOMDocument interface has to be exposed to the contained scripts  
>> anyway, ahy not also make it accessible from the outside?

> Yes, but I'm afraid it's a technical challenge to implementors.

I don't believe it's a tougher challenge than making the fake document  
interface for the inner scripts. But I think we should rather hear an  
opinion from a browser developer.

> Therefore, it's clear nothing has to be changed in quirks mode, but in  
> standards mode:
>
> 1. break during parsing.
> 2. break JS code if it sets the id of a node to a duplicate ID.

And what if the JS code clones a node with non-empty ID? Should it throw  
an exception when such a node is inserted into the document?

> Or simply leave it as it is: quirks mode behaviour.

Maybe you're right. Really, the standards more should be as strict as  
possible.

>> Simply picking the last matching node is actually hiding a bug and  
>> letting it go unnoticed. (Why the last one? Why not the first, for  
>> example?)

> That's true, but this happens in many, many other cases.

In standards mode? What are these cases?


-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]  
<alexey at feldgendler.ru>

Received on Thursday, 16 March 2006 04:47:24 UTC