[whatwg] The problem of duplicate ID as a security issue
Alexey Feldgendler
alexey at feldgendler.ru
Sun Mar 12 23:50:19 PST 2006
On Fri, 10 Mar 2006 13:21:36 +0600, Bjoern Hoehrmann <derhoermi at gmx.net>
wrote:
> This kind of attack is hard to circumvent through use of HTML cleaners
>> because id="addtomemories" looks like an innocent attribute, like an
>> anchor for navigation. Preventing such attacks by a HTML cleaner would
>> require either making a full list of all "forbidden" IDs, class names
>> etc, or imposing Draconian rules upon user-supplied content, completely
>> disallowing such useful attributes like id and class.
> A full list of all forbidden IDs would be as simple as /^acme-/
Indeed. But adding a prefix to each ID and/or class name is not an option
for many mature CMS and other web applications.
> which would already be necessary to ensure conforming content.
Necessary but not sufficient. Duplicate IDs aren't caught by a validating
parser, so custom code is needed to enforce many of the requirements. For
example, if one was trying to ensure that all IDs are unique, then the ID
values within the user-supplied code would have to be checked for
duplicates among them, too.
-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]
<alexey at feldgendler.ru>
More information about the whatwg
mailing list