[whatwg] The problem of duplicate ID as a security issue

Le Thu, 16 Mar 2006 14:47:24 +0200, Alexey Feldgendler  
<alexey at feldgendler.ru> a ?crit:

> On Thu, 16 Mar 2006 18:33:30 +0600, Mihai Sucan <mihai.sucan at gmail.com>  
> wrote:
>
<...>
>
>> Therefore, it's clear nothing has to be changed in quirks mode, but in  
>> standards mode:
>>
>> 1. break during parsing.
>> 2. break JS code if it sets the id of a node to a duplicate ID.
>
> And what if the JS code clones a node with non-empty ID? Should it throw  
> an exception when such a node is inserted into the document?

This is something I forgot about.

The DOM 3 Core [1] spec should define the behaviour. I've just looked  
right now ... and no special details are given about cloneNode and the ID  
attribute.

Yet getElementById is defined as [2]:

<blockquote>
	Returns the Element that has an ID attribute with the given value. If no  
such element exists, this returns null.
	If more than one element has an ID attribute with that value, what is  
returned is undefined.
</blockquote>

Therefore... the appropriate behaviour for getElementById("duplicate-ID")  
is to return null. This is something not respected by any major browser,  
even in standards mode. This is the best behaviour for duplicate IDs,  
better than breaking the script, better than returning *one* of the nodes  
having the same ID.

>> Or simply leave it as it is: quirks mode behaviour.
>
> Maybe you're right. Really, the standards more should be as strict as  
> possible.

Strict or not strict? That's the question.

If strict: return null, no error as DOM 3 Core defines getElementById.

Returning null in quirks mode still breaks pages.

>>> Simply picking the last matching node is actually hiding a bug and  
>>> letting it go unnoticed. (Why the last one? Why not the first, for  
>>> example?)
>
>> That's true, but this happens in many, many other cases.
>
> In standards mode? What are these cases?

I was referring to the fact bugs made by web author are being let to go  
unnoticed, even in standards mode. Luckily, Opera 9 and Firefox 1.5 have  
started showing more errors in consoles (CSS, JS, XML, HTML, etc).

[1] http://www.w3.org/TR/DOM-Level-3-Core/
[2] http://www.w3.org/TR/DOM-Level-3-Core/core.html#ID-getElBId

-- 
http://www.robodesign.ro
ROBO Design - We bring you the future

Received on Thursday, 16 March 2006 07:18:54 UTC