W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2007

[whatwg] The problem of duplicate ID as a security issue

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 6 Jun 2007 22:42:31 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.0706062241500.4344@dhalsim.dreamhost.com>
On Thu, 7 Jun 2007, Alexey Feldgendler wrote:
> On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote:
> 
> > > Preventing such attacks by a HTML cleaner would require either 
> > > making a full list of all "forbidden" IDs, class names etc, or 
> > > imposing Draconian rules upon user-supplied content, completely 
> > > disallowing such useful attributes like id and class.
> 
> > I'm not really convinced there's that much use in user-supplied IDs 
> > and classes, but the rules needn't be that draconian. The server could 
> > automatically prepend the commentN string to IDs and classes.
> 
> IDs in user-supplied content are only useful as fragment identifiers for 
> URLs, and mangling them like that defeats this use case because you 
> don't know N before you post the comment, and therefore can't make 
> internal links within the body (and it's also unobvious when you try to 
> make links to parts of your article afterwards).

True. I don't have a good solution to this that doesn't involve code on 
the server-side, though.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 6 June 2007 15:42:31 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:56 UTC