Hacker News new | past | comments | ask | show | jobs | submit login

I don't think this article is complete. It mentions no pollution, which is true of window and most HTML elements, but not always. Check this out, you can set an img name to getElementById and now document.getElementById is the image element!

Here's a minimal example (https://jsfiddle.net/wc5dn9x2/):

    <img id="asdf" name="getElementById" />
    <script>
        // The img object
        console.log(document.getElementById);

        // TypeError: document.getElementById is not a function :D
        console.log(document.getElementById('asdf'));
    </script>
I tried poking around for security vulnerabilities with this but couldn't find any :(

It seems that the names overwrite properties on document with themselves only for these elements: embed form iframe img object

Edit: Here's how I found this: https://jsfiddle.net/wc5dn9x2/1/




Note that this is with the name attribute, not the id attribute the article is discussing.


Good catch. That would explain why it wasn't mentioned then


Curiously the article doesn't mentions it, but theses kinds of vulnerabilities are named DOM clobbering if you want to know more about it!

It's weirdly not that discussed on the web, most probably because it require a pretty specific situation.


Thank you for this! I had a feeling it wasn't a security issue. I closed my ticket saying it might be one due to finding websites mentioning Dom clobbering




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: