[whatwg] The problem of duplicate ID as a security issue

On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote:

>> Preventing such attacks by a HTML cleaner would require either making a
>> full list of all "forbidden" IDs, class names etc, or imposing Draconian
>> rules upon user-supplied content, completely disallowing such useful
>> attributes like id and class.

> I'm not really convinced there's that much use in user-supplied IDs and
> classes, but the rules needn't be that draconian. The server could
> automatically prepend the commentN string to IDs and classes.

IDs in user-supplied content are only useful as fragment identifiers for  
URLs, and mangling them like that defeats this use case because you don't  
know N before you post the comment, and therefore can't make internal  
links within the body (and it's also unobvious when you try to make links  
to parts of your article afterwards).

Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com

Received on Wednesday, 6 June 2007 15:38:52 UTC