Hacker News new | ask | show | jobs
by stonewareslord 1362 days ago
I don't think this article is complete. It mentions no pollution, which is true of window and most HTML elements, but not always. Check this out, you can set an img name to getElementById and now document.getElementById is the image element!

Here's a minimal example (https://jsfiddle.net/wc5dn9x2/):

    <img id="asdf" name="getElementById" />
    <script>
        // The img object
        console.log(document.getElementById);

        // TypeError: document.getElementById is not a function :D
        console.log(document.getElementById('asdf'));
    </script>
I tried poking around for security vulnerabilities with this but couldn't find any :(

It seems that the names overwrite properties on document with themselves only for these elements: embed form iframe img object

Edit: Here's how I found this: https://jsfiddle.net/wc5dn9x2/1/
2 comments
jefftk 1362 days ago
Note that this is with the name attribute, not the id attribute the article is discussing.
link
stonewareslord 1362 days ago
Good catch. That would explain why it wasn't mentioned then
link
dwild 1362 days ago
Curiously the article doesn't mentions it, but theses kinds of vulnerabilities are named DOM clobbering if you want to know more about it!

It's weirdly not that discussed on the web, most probably because it require a pretty specific situation.

link
stonewareslord 1361 days ago
Thank you for this! I had a feeling it wasn't a security issue. I closed my ticket saying it might be one due to finding websites mentioning Dom clobbering
link