W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] The problem of duplicate ID as a security issue

From: Hallvord R M Steen <hallvors@gmail.com>
Date: Thu, 16 Mar 2006 16:55:33 +0100
Message-ID: <dd4c8a40603160755i4e48f3c4h6b8e4e5a4a81aee5@mail.gmail.com>
> Yes, getElementById is already defined to deal with duplicate IDs by
> returning null, in DOM Level 3 Core [1].

This should be changed, it will break sites.

> Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and
> IE) are the problem, actually. These do not return null, they return the
> last node which set the ID.

They return the first element in the source with the given ID. Testing
with IE6, FireFox 1.5 and Opera 9. Implementations agree simply
because this is necessary to make sites work.

> That's a problem with security implications,
> as stated by Alexey in the message starting this thread.

The cross-browser implementation makes the problem less serious since
a site can simply ensure that the content it controls is earlier in
the source than the user-supplied contents.

Hallvord R. M. Steen
Received on Thursday, 16 March 2006 07:55:33 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC