[whatwg] The problem of duplicate ID as a security issue
Mihai Sucan
mihai.sucan at gmail.com
Thu Mar 16 07:30:32 PST 2006
Le Thu, 16 Mar 2006 16:17:25 +0200, Lachlan Hunt
<lachlan.hunt at lachy.id.au> a écrit:
> I don't. getElementById is already defined and implemented to deal with
> duplicate IDs, there's no need to redefine it in a way that isn't
> backwards compatible with existing sites.
Yes, getElementById is already defined to deal with duplicate IDs by
returning null, in DOM Level 3 Core [1]. In DOM Level 2 Core [2], the
behaviour is explicitly undefined in this case ("behavior is not defined
if more than one element has this ID").
Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and
IE) are the problem, actually. These do not return null, they return the
last node which set the ID. That's a problem with security implications,
as stated by Alexey in the message starting this thread.
[1] http://www.w3.org/TR/DOM-Level-3-Core/core.html#ID-getElBId
[2] http://www.w3.org/TR/DOM-Level-2-Core/core.html
--
http://www.robodesign.ro
ROBO Design - We bring you the future
More information about the whatwg
mailing list