[whatwg] The problem of duplicate ID as a security issue
ian at hixie.ch
Wed Jun 6 15:42:31 PDT 2007
On Thu, 7 Jun 2007, Alexey Feldgendler wrote:
> On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote:
> > > Preventing such attacks by a HTML cleaner would require either
> > > making a full list of all "forbidden" IDs, class names etc, or
> > > imposing Draconian rules upon user-supplied content, completely
> > > disallowing such useful attributes like id and class.
> > I'm not really convinced there's that much use in user-supplied IDs
> > and classes, but the rules needn't be that draconian. The server could
> > automatically prepend the commentN string to IDs and classes.
> IDs in user-supplied content are only useful as fragment identifiers for
> URLs, and mangling them like that defeats this use case because you
> don't know N before you post the comment, and therefore can't make
> internal links within the body (and it's also unobvious when you try to
> make links to parts of your article afterwards).
True. I don't have a good solution to this that doesn't involve code on
the server-side, though.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg