[whatwg] The problem of duplicate ID as a security issue

Alexey Feldgendler alexey at feldgendler.ru
Tue Mar 14 21:55:34 PST 2006


On Wed, 15 Mar 2006 02:42:27 +0600, Mihai Sucan <mihai.sucan at gmail.com>  
wrote:

> I've made a short "investigation" regarding how browsers behave with  
> document.getElementById('a-duplicate-ID').
>
> The page:
> http://www.robodesign.ro/_gunoaie/duplicate-ids.html
>
> Take a close look into the source (I've provided comments) to understand  
> what the "Click me" tests and what it shows. You'll see major browsers  
> I've tested behave the same: like with a queue, the last node that sets  
> the duplicate ID is also the node that's returned when you use  
> getElementById function.

Unfortunately we can't change it in a backwards-compatible way (though we  
probably can define a stricter behavior for <!DOCTYPE html> only).

Seems like sandboxes as security barriers are the only solution to the  
duplicate ID problem as a security thread -- at least the only one I can  
think of.


-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]  
<alexey at feldgendler.ru>



More information about the whatwg mailing list