W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2006

[whatwg] The problem of duplicate ID as a security issue

From: Mihai Sucan <mihai.sucan@gmail.com>
Date: Thu, 16 Mar 2006 20:19:35 +0200
Message-ID: <op.s6iqixv6mcpsjg@localhost.localdomain>
Le Thu, 16 Mar 2006 17:55:33 +0200, Hallvord R M Steen  
<hallvors at gmail.com> a ?crit:

>> Yes, getElementById is already defined to deal with duplicate IDs by
>> returning null, in DOM Level 3 Core [1].
>
> This should be changed, it will break sites.

True. Can it be changed? I believe not, since it's already a REC.

>> Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and
>> IE) are the problem, actually. These do not return null, they return the
>> last node which set the ID.
>
> They return the first element in the source with the given ID. Testing
> with IE6, FireFox 1.5 and Opera 9. Implementations agree simply
> because this is necessary to make sites work.

Correct.

>> That's a problem with security implications,
>> as stated by Alexey in the message starting this thread.
>
> The cross-browser implementation makes the problem less serious since
> a site can simply ensure that the content it controls is earlier in
> the source than the user-supplied contents.

Having a security issue "implemented" across multiple browsers makes it  
less serious? I'm not saying this is one of those, but I got this  
impression from your reply.

Web authors cannot simply move user-supplied contents *anywhere* they want  
in the document. To do this, they have to think the layout, the "design"  
of their code, with the "duplicate IDs issue" in mind. Something too many  
simply not think of, and won't do, until it's too late.


-- 
http://www.robodesign.ro
ROBO Design - We bring you the future
Received on Thursday, 16 March 2006 10:19:35 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:45 UTC