[whatwg] The problem of duplicate ID as a security issue
mihai.sucan at gmail.com
Thu Mar 16 07:30:32 PST 2006
Le Thu, 16 Mar 2006 16:17:25 +0200, Lachlan Hunt
<lachlan.hunt at lachy.id.au> a écrit:
> I don't. getElementById is already defined and implemented to deal with
> duplicate IDs, there's no need to redefine it in a way that isn't
> backwards compatible with existing sites.
Yes, getElementById is already defined to deal with duplicate IDs by
returning null, in DOM Level 3 Core . In DOM Level 2 Core , the
behaviour is explicitly undefined in this case ("behavior is not defined
if more than one element has this ID").
Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and
IE) are the problem, actually. These do not return null, they return the
last node which set the ID. That's a problem with security implications,
as stated by Alexey in the message starting this thread.
ROBO Design - We bring you the future
More information about the whatwg