[whatwg] The problem of duplicate ID as a security issue
Ric Hardacre
whatwg at cycloid.f9.co.uk
Wed Mar 15 02:10:08 PST 2006
>> Yes, I saw Ric's reply. A nice suggestion, but that implies <sandbox>
>> is a documentElement by itself, or is it a DOMSandbox needing to be
>> defined?
>
> Sandboxes are quite special things, so we'll need a DOMSandbox anyway.
> But instead of adding things like getElementById() to the DOMSandbox
> interface, I tend to make the "fake document" which is visible from
> inside the sandbox a member of the sandbox itself. The call will look
> like sandbox.document.getElementById().
>
I think that treating <sandbox> as a document object per-se may be a bit
of overkill, from a coding perspective all it should take is for the
implementing browser to flag a script as being contained within a
sandbox, or not, psudeocode:
documentGetElementByIdWrapper( elementID )
{
if( theScript.sandboxElement )
{
return theScript.sandboxElement.getElementById( elementID );
}
if( globalDocumentElement )
return globalDocumentElement.getElementById( elementID );
return null;
}
Ric Hardacre
http://www.cyclomedia.co.uk/
More information about the whatwg
mailing list