[whatwg] The problem of duplicate ID as a security issue

Ian Hickson ian at hixie.ch
Thu Jun 7 23:13:07 PDT 2007


On Thu, 7 Jun 2007, Alexey Feldgendler wrote:
>
> On Thu, 07 Jun 2007 00:42:31 +0200, Ian Hickson <ian at hixie.ch> wrote:
> 
> > > IDs in user-supplied content are only useful as fragment identifiers for
> > > URLs, and mangling them like that defeats this use case because you
> > > don't know N before you post the comment, and therefore can't make
> > > internal links within the body (and it's also unobvious when you try to
> > > make links to parts of your article afterwards).
> 
> > True. I don't have a good solution to this that doesn't involve code on
> > the server-side, though.
> 
> Some form of sandboxing would be one.

If sandboxing would solve it then I'll treat this issue as closed and deal 
with the sandboxing problems separately.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list