[whatwg] The problem of duplicate ID as a security issue

Mihai Sucan mihai.sucan at gmail.com
Thu Mar 16 07:30:32 PST 2006

Le Thu, 16 Mar 2006 16:17:25 +0200, Lachlan Hunt  
<lachlan.hunt at lachy.id.au> a écrit:

> I don't.  getElementById is already defined and implemented to deal with  
> duplicate IDs, there's no need to redefine it in a way that isn't  
> backwards compatible with existing sites.

Yes, getElementById is already defined to deal with duplicate IDs by  
returning null, in DOM Level 3 Core [1]. In DOM Level 2 Core [2], the  
behaviour is explicitly undefined in this case ("behavior is not defined  
if more than one element has this ID").

Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and  
IE) are the problem, actually. These do not return null, they return the  
last node which set the ID. That's a problem with security implications,  
as stated by Alexey in the message starting this thread.

[1] http://www.w3.org/TR/DOM-Level-3-Core/core.html#ID-getElBId
[2] http://www.w3.org/TR/DOM-Level-2-Core/core.html

ROBO Design - We bring you the future

More information about the whatwg mailing list