[whatwg] The problem of duplicate ID as a security issue
derhoermi at gmx.net
Thu Mar 9 23:21:36 PST 2006
* Alexey Feldgendler wrote:
>This kind of attack is hard to circumvent through use of HTML cleaners
>because id="addtomemories" looks like an innocent attribute, like an
>anchor for navigation. Preventing such attacks by a HTML cleaner would
>require either making a full list of all "forbidden" IDs, class names etc,
>or imposing Draconian rules upon user-supplied content, completely
>disallowing such useful attributes like id and class.
A full list of all forbidden IDs would be as simple as /^acme-/ which
would already be necessary to ensure conforming content.
Björn Höhrmann · mailto:bjoern at hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
More information about the whatwg