W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2007

[whatwg] The problem of duplicate ID as a security issue

From: Alexey Feldgendler <alexey@feldgendler.ru>
Date: Thu, 07 Jun 2007 00:38:52 +0200
Message-ID: <op.ttiui2hf1h6og4@sandwich.feldgendler.ru>
On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote:

>> Preventing such attacks by a HTML cleaner would require either making a
>> full list of all "forbidden" IDs, class names etc, or imposing Draconian
>> rules upon user-supplied content, completely disallowing such useful
>> attributes like id and class.

> I'm not really convinced there's that much use in user-supplied IDs and
> classes, but the rules needn't be that draconian. The server could
> automatically prepend the commentN string to IDs and classes.

IDs in user-supplied content are only useful as fragment identifiers for  
URLs, and mangling them like that defeats this use case because you don't  
know N before you post the comment, and therefore can't make internal  
links within the body (and it's also unobvious when you try to make links  
to parts of your article afterwards).


-- 
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com
Received on Wednesday, 6 June 2007 15:38:52 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:56 UTC