[whatwg] The problem of duplicate ID as a security issue

Alexey Feldgendler alexey at feldgendler.ru
Wed Jun 6 15:38:52 PDT 2007


On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote:

>> Preventing such attacks by a HTML cleaner would require either making a
>> full list of all "forbidden" IDs, class names etc, or imposing Draconian
>> rules upon user-supplied content, completely disallowing such useful
>> attributes like id and class.

> I'm not really convinced there's that much use in user-supplied IDs and
> classes, but the rules needn't be that draconian. The server could
> automatically prepend the commentN string to IDs and classes.

IDs in user-supplied content are only useful as fragment identifiers for  
URLs, and mangling them like that defeats this use case because you don't  
know N before you post the comment, and therefore can't make internal  
links within the body (and it's also unobvious when you try to make links  
to parts of your article afterwards).


-- 
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com



More information about the whatwg mailing list