W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] The problem of duplicate ID as a security issue

From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
Date: Fri, 17 Mar 2006 01:17:25 +1100
Message-ID: <44197375.2020900@lachy.id.au>
Alexey Feldgendler wrote:
>> I think enforcing ID uniqueness in standards mode would be good, but 
>> that would still probably break (very?) few pages. Those web authors 
>> should have to "live with it", because they want standards-compliant 
>> sites.
> I'm not speaking about enforcing ID uniqueness at the time of parsing 
> the page, but only at the time of calling getElementById(). I believe it 
> will break very few pages, if any.

Actually, I'm sure it would unnecessarily break many sites.

> Usually in such applications the scripts don't call getElementById() for 
> those ID values which occur more than once. If they occasionally do, 
> it's really a programming bug. I don't believe that there are 
> applications that really rely on the particular behavior in this case, 
> though I admit that there are possibly some that have this bug unnoticed 
> and still work. I think that this case should trigger an exception in 
> standards mode because, for this bug, there is no obvious fix to apply,

I don't.  getElementById is already defined and implemented to deal with 
duplicate IDs, there's no need to redefine it in a way that isn't 
backwards compatible with existing sites.

Lachlan Hunt
Received on Thursday, 16 March 2006 06:17:25 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC