[whatwg] The problem of duplicate ID as a security issue

Lachlan Hunt lachlan.hunt at lachy.id.au
Thu Mar 16 06:17:25 PST 2006


Alexey Feldgendler wrote:
>> I think enforcing ID uniqueness in standards mode would be good, but 
>> that would still probably break (very?) few pages. Those web authors 
>> should have to "live with it", because they want standards-compliant 
>> sites.
> 
> I'm not speaking about enforcing ID uniqueness at the time of parsing 
> the page, but only at the time of calling getElementById(). I believe it 
> will break very few pages, if any.

Actually, I'm sure it would unnecessarily break many sites.

> Usually in such applications the scripts don't call getElementById() for 
> those ID values which occur more than once. If they occasionally do, 
> it's really a programming bug. I don't believe that there are 
> applications that really rely on the particular behavior in this case, 
> though I admit that there are possibly some that have this bug unnoticed 
> and still work. I think that this case should trigger an exception in 
> standards mode because, for this bug, there is no obvious fix to apply,

I don't.  getElementById is already defined and implemented to deal with 
duplicate IDs, there's no need to redefine it in a way that isn't 
backwards compatible with existing sites.

-- 
Lachlan Hunt
http://lachy.id.au/




More information about the whatwg mailing list