[whatwg] The problem of duplicate ID as a security issue
Lachlan Hunt
lachlan.hunt at lachy.id.au
Sat Mar 18 20:10:33 PST 2006
Mihai Sucan wrote:
> Yet getElementById is defined as [2]:
>
> <blockquote>
> Returns the Element that has an ID attribute with the given value.
> If no such element exists, this returns null.
> If more than one element has an ID attribute with that value, what
> is returned is undefined.
> </blockquote>
>
> Therefore... the appropriate behaviour for
> getElementById("duplicate-ID") is to return null.
No, the spec says the behaviour is undefined and so UAs can return
whatever they like and still be considered conformant. I agree that it
should be defined, but it should be defined in the way most compatible
with existing implementations and since no existing implementation (at
least none that I know of) returns null, that's likely to break many pages.
>>>> Simply picking the last matching node is actually hiding a bug and
>>>> letting it go unnoticed. (Why the last one? Why not the first, for
>>>> example?)
All the tests I made up showed that the first was returned in all
browsers I tested, including FF, IE, Opera, Safari and iCab. None of
them returned the last.
This is one of my test cases:
<!DOCTYPE html>
<script>
window.onload = function() {
document.getElementById("foo").appendChild(document.createTextNode("This
One!"));
}
</script>
<p id="foo">1: </p>
<p id="foo">2: </p>
The result:
* P id="foo"
o #text: 1:
o #text: This One!
* #text:
* P id="foo"
o #text: 2:
--
Lachlan Hunt
http://lachy.id.au/
More information about the whatwg
mailing list