W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] The problem of duplicate ID as a security issue

From: Mihai Sucan <mihai.sucan@gmail.com>
Date: Thu, 16 Mar 2006 17:30:32 +0200
Message-ID: <op.s6iio6y4mcpsjg@localhost.localdomain>
Le Thu, 16 Mar 2006 16:17:25 +0200, Lachlan Hunt  
<lachlan.hunt at lachy.id.au> a ?crit:

> I don't.  getElementById is already defined and implemented to deal with  
> duplicate IDs, there's no need to redefine it in a way that isn't  
> backwards compatible with existing sites.

Yes, getElementById is already defined to deal with duplicate IDs by  
returning null, in DOM Level 3 Core [1]. In DOM Level 2 Core [2], the  
behaviour is explicitly undefined in this case ("behavior is not defined  
if more than one element has this ID").

Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and  
IE) are the problem, actually. These do not return null, they return the  
last node which set the ID. That's a problem with security implications,  
as stated by Alexey in the message starting this thread.

[1] http://www.w3.org/TR/DOM-Level-3-Core/core.html#ID-getElBId
[2] http://www.w3.org/TR/DOM-Level-2-Core/core.html

ROBO Design - We bring you the future
Received on Thursday, 16 March 2006 07:30:32 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC