[whatwg] The problem of duplicate ID as a security issue
Alexey Feldgendler
alexey at feldgendler.ru
Wed Jun 6 15:38:52 PDT 2007
On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote:
>> Preventing such attacks by a HTML cleaner would require either making a
>> full list of all "forbidden" IDs, class names etc, or imposing Draconian
>> rules upon user-supplied content, completely disallowing such useful
>> attributes like id and class.
> I'm not really convinced there's that much use in user-supplied IDs and
> classes, but the rules needn't be that draconian. The server could
> automatically prepend the commentN string to IDs and classes.
IDs in user-supplied content are only useful as fragment identifiers for
URLs, and mangling them like that defeats this use case because you don't
know N before you post the comment, and therefore can't make internal
links within the body (and it's also unobvious when you try to make links
to parts of your article afterwards).
--
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com
More information about the whatwg
mailing list