[whatwg] The problem of duplicate ID as a security issue

Alexey Feldgendler alexey at feldgendler.ru
Sun Mar 12 23:50:19 PST 2006


On Fri, 10 Mar 2006 13:21:36 +0600, Bjoern Hoehrmann <derhoermi at gmx.net>  
wrote:

> This kind of attack is hard to circumvent through use of HTML cleaners

>> because id="addtomemories" looks like an innocent attribute, like an
>> anchor for navigation. Preventing such attacks by a HTML cleaner would
>> require either making a full list of all "forbidden" IDs, class names  
>> etc, or imposing Draconian rules upon user-supplied content, completely
>> disallowing such useful attributes like id and class.

> A full list of all forbidden IDs would be as simple as /^acme-/

Indeed. But adding a prefix to each ID and/or class name is not an option  
for many mature CMS and other web applications.

> which would already be necessary to ensure conforming content.

Necessary but not sufficient. Duplicate IDs aren't caught by a validating  
parser, so custom code is needed to enforce many of the requirements. For  
example, if one was trying to ensure that all IDs are unique, then the ID  
values within the user-supplied code would have to be checked for  
duplicates among them, too.


-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]  
<alexey at feldgendler.ru>



More information about the whatwg mailing list