[whatwg] The problem of duplicate ID as a security issue
Mikko Rantalainen
mikko.rantalainen at peda.net
Fri Mar 10 02:33:19 PST 2006
Alexey Feldgendler wrote:
> The problem of duplicate ID isn't just another issue where it's nice to
> have some well-defined error recovery just for uniformity. There are cases
> when duplicate IDs should be viewed as a security concern.
>
> [...]
> For example, imagine a script which finds a button by ID and attaches an
> event listener to it. A possible markup looks like this:
>
> <div>
> ...blog entry body...
> </div>
> <button id="addtomemories">Add this entry to memories</button>
> <script>
> document.getElementById('addtomemories').addEventListener('click',
> doSomeNiceAJAX);
> </script>
>
> So, a malicious blog author can make the following entry:
>
> I have found a <a href="#" id="addtomemories">cool website</a>.
I think the real problem is not adding the button though the script,
too. This is bad for two reasons:
1) modified source may result to incorrect targeted element and
2) there shouldn't be any buttons if scripting isn't enabled.
If the script inserts the button, then it can store reference to it
for later use so it doesn't need the id attribute in the first
place. I'm fully aware that it's no always reasonable to expect the
script author to insert all elements via script that need to be
accessed but I think at least the actions that have security
implications should go through this kind of procedure.
Security is hard just because *any little error* in the whole
process can render every other "security feature" meaningless.
Allowing random user input with possibility to use user supplied
scripting is next to impossible to make secure.
--
Mikko
More information about the whatwg
mailing list