[whatwg] The problem of duplicate ID as a security issue
Alexey Feldgendler
alexey at feldgendler.ru
Thu Mar 16 04:47:24 PST 2006
On Thu, 16 Mar 2006 18:33:30 +0600, Mihai Sucan <mihai.sucan at gmail.com>
wrote:
>> A DOMDocument interface has to be exposed to the contained scripts
>> anyway, ahy not also make it accessible from the outside?
> Yes, but I'm afraid it's a technical challenge to implementors.
I don't believe it's a tougher challenge than making the fake document
interface for the inner scripts. But I think we should rather hear an
opinion from a browser developer.
> Therefore, it's clear nothing has to be changed in quirks mode, but in
> standards mode:
>
> 1. break during parsing.
> 2. break JS code if it sets the id of a node to a duplicate ID.
And what if the JS code clones a node with non-empty ID? Should it throw
an exception when such a node is inserted into the document?
> Or simply leave it as it is: quirks mode behaviour.
Maybe you're right. Really, the standards more should be as strict as
possible.
>> Simply picking the last matching node is actually hiding a bug and
>> letting it go unnoticed. (Why the last one? Why not the first, for
>> example?)
> That's true, but this happens in many, many other cases.
In standards mode? What are these cases?
-- Opera M2 9.0 TP2 on Debian Linux 2.6.12-1-k7
* Origin: X-Man's Station at SW-Soft, Inc. [ICQ: 115226275]
<alexey at feldgendler.ru>
More information about the whatwg
mailing list