[whatwg] The problem of duplicate ID as a security issue

[Mikko Rantalainen]

Alexey Feldgendler wrote:
> The problem of duplicate ID isn't just another issue where it's nice to  
> have some well-defined error recovery just for uniformity. There are cases  
> when duplicate IDs should be viewed as a security concern.
> 
> [...]
> For example, imagine a script which finds a button by ID and attaches an  
> event listener to it. A possible markup looks like this:
> 
> <div>
>      ...blog entry body...
> </div>
> <button id="addtomemories">Add this entry to memories</button>
> <script>
> document.getElementById('addtomemories').addEventListener('click',  
> doSomeNiceAJAX);
> </script>
> 
> So, a malicious blog author can make the following entry:
> 
> I have found a <a href="#" id="addtomemories">cool website</a>.

I think the real problem is not adding the button though the script, 
too. This is bad for two reasons:

1) modified source may result to incorrect targeted element and
2) there shouldn't be any buttons if scripting isn't enabled.

If the script inserts the button, then it can store reference to it 
for later use so it doesn't need the id attribute in the first 
place. I'm fully aware that it's no always reasonable to expect the 
script author to insert all elements via script that need to be 
accessed but I think at least the actions that have security 
implications should go through this kind of procedure.

Security is hard just because *any little error* in the whole 
process can render every other "security feature" meaningless. 
Allowing random user input with possibility to use user supplied 
scripting is next to impossible to make secure.

-- 
Mikko