On 12/20/11 10:55 AM, "Sean Mullan" <[email protected]> wrote:
>It no longer searches. All IDs have to be pre-registered. It knows about >IDs in the XML signature namespace so pre-registers those itself. Does that imply you no longer rely on getElementById either? Because that's a search you don't control, and we know Xerces allows duplicates, ergo so does Santuario if it uses that API. >We could search the entire document every time for duplicate IDs but >then nobody would use the library because it would be too slow. It would work fine in many applications that favor guarantees over speed. >This is an issue that we can solve partially, but in my opinion higher >level APIs need to also do their job and register the IDs in their own >namespaces (or use a validating schema). Then wrapping attacks are not >possible. Unless you're not using the DOM ID APIs anymore, they're still possible because Xerces remains broken. -- Scott
