[whatwg] The problem of duplicate ID as a security issue

Mihai Sucan mihai.sucan at gmail.com
Thu Mar 16 10:19:35 PST 2006

Le Thu, 16 Mar 2006 17:55:33 +0200, Hallvord R M Steen  
<hallvors at gmail.com> a écrit:

>> Yes, getElementById is already defined to deal with duplicate IDs by
>> returning null, in DOM Level 3 Core [1].
> This should be changed, it will break sites.

True. Can it be changed? I believe not, since it's already a REC.

>> Yet, the implementations (major User Agents: Opera, Gecko, Konqueror and
>> IE) are the problem, actually. These do not return null, they return the
>> last node which set the ID.
> They return the first element in the source with the given ID. Testing
> with IE6, FireFox 1.5 and Opera 9. Implementations agree simply
> because this is necessary to make sites work.


>> That's a problem with security implications,
>> as stated by Alexey in the message starting this thread.
> The cross-browser implementation makes the problem less serious since
> a site can simply ensure that the content it controls is earlier in
> the source than the user-supplied contents.

Having a security issue "implemented" across multiple browsers makes it  
less serious? I'm not saying this is one of those, but I got this  
impression from your reply.

Web authors cannot simply move user-supplied contents *anywhere* they want  
in the document. To do this, they have to think the layout, the "design"  
of their code, with the "duplicate IDs issue" in mind. Something too many  
simply not think of, and won't do, until it's too late.

ROBO Design - We bring you the future

More information about the whatwg mailing list