[whatwg] The problem of duplicate ID as a security issue

Lachlan Hunt lachlan.hunt at lachy.id.au
Sat Mar 18 20:10:33 PST 2006


Mihai Sucan wrote:
> Yet getElementById is defined as [2]:
> 
> <blockquote>
>     Returns the Element that has an ID attribute with the given value. 
> If no such element exists, this returns null.
>     If more than one element has an ID attribute with that value, what 
> is returned is undefined.
> </blockquote>
> 
> Therefore... the appropriate behaviour for 
> getElementById("duplicate-ID") is to return null.

No, the spec says the behaviour is undefined and so UAs can return 
whatever they like and still be considered conformant.  I agree that it 
should be defined, but it should be defined in the way most compatible 
with existing implementations and since no existing implementation (at 
least none that I know of) returns null, that's likely to break many pages.

>>>> Simply picking the last matching node is actually hiding a bug and 
>>>> letting it go unnoticed. (Why the last one? Why not the first, for 
>>>> example?)

All the tests I made up showed that the first was returned in all 
browsers I tested, including FF, IE, Opera, Safari and iCab.  None of 
them returned the last.

This is one of my test cases:

<!DOCTYPE html>
<script>
window.onload = function() {
document.getElementById("foo").appendChild(document.createTextNode("This 
One!"));
}
</script>
<p id="foo">1: </p>
<p id="foo">2: </p>

The result:
     * P id="foo"
           o #text: 1:
           o #text: This One!
     * #text:
     * P id="foo"
           o #text: 2:

-- 
Lachlan Hunt
http://lachy.id.au/




More information about the whatwg mailing list