On 12/20/2011 10:59 AM, Cantor, Scott wrote:
On 12/20/11 10:55 AM, "Sean Mullan"<[email protected]> wrote:
It no longer searches. All IDs have to be pre-registered. It knows about
IDs in the XML signature namespace so pre-registers those itself.
Does that imply you no longer rely on getElementById either? Because
that's a search you don't control, and we know Xerces allows duplicates,
ergo so does Santuario if it uses that API.
The code does still call DOM Document.getElementById, but how does that
make it possible to do an attack? The trusted validation code should be
creating the Document and registering the IDs. If you are letting
untrusted code create the Document for you and register arbitrary IDs,
then that is a bug.
--Sean
We could search the entire document every time for duplicate IDs but
then nobody would use the library because it would be too slow.
It would work fine in many applications that favor guarantees over speed.
This is an issue that we can solve partially, but in my opinion higher
level APIs need to also do their job and register the IDs in their own
namespaces (or use a validating schema). Then wrapping attacks are not
possible.
Unless you're not using the DOM ID APIs anymore, they're still possible
because Xerces remains broken.
-- Scott
