[whatwg] The problem of duplicate ID as a security issue

Ric Hardacre whatwg at cycloid.f9.co.uk
Wed Mar 15 02:10:08 PST 2006

>> Yes, I saw Ric's reply. A nice suggestion, but that implies <sandbox> 
>> is a documentElement by itself, or is it a DOMSandbox needing to be 
>> defined?
> Sandboxes are quite special things, so we'll need a DOMSandbox anyway. 
> But instead of adding things like getElementById() to the DOMSandbox 
> interface, I tend to make the "fake document" which is visible from 
> inside the sandbox a member of the sandbox itself. The call will look 
> like sandbox.document.getElementById().

I think that treating <sandbox> as a document object per-se may be a bit 
of overkill, from a coding perspective all it should take is for the 
implementing browser to flag a script as being contained within a 
sandbox, or not, psudeocode:

documentGetElementByIdWrapper( elementID )
    if( theScript.sandboxElement )
       return theScript.sandboxElement.getElementById( elementID );

    if( globalDocumentElement )
       return globalDocumentElement.getElementById( elementID );
    return null;

Ric Hardacre

More information about the whatwg mailing list