Unsafe Names for HTML Form Controls

Unsafe Names

There are roughly three-hundred (300) names which a form control must not have.

Unsafely named elements can be added to a FORM object after the form has been created, or can be included in the HTML source code.

Examples of Unsafe Form Control Names

Unsafe FORM control names can appear in three ways:

  1. In the HTML Source
  2. Added via the DOM
  3. From changing the name property

Not all browsers behave the same when using unsafe FORM control names and a changing DOM.

Solution: Namespaced Form Controls

A naming system can help avoid unsafe names.

Name the form controls starting with a special prefix. The prefix should be unique and represent the application.

For example, an application named "VortexMail" could use the prefix vtxmail_. 

<input name="vtxmail_fname" type="text">
<input name="vtxmail_data" type="file">
<input name="vtxmail_submit" type="submit">

A prefix can also act as an identifying characteristic of your program or company, like a namespace.

Unsafe Names - Partial List

This list contains all the names that a form control should never have. It assumes that event handler attributes are never used and excludes some proposed properties from HTML 5 [References]. (e.g. autofocus, min, max, height, labels, required, valid, etc.).

If event handler attributes are used, the list of unsafe names also includes every possible property name that exists on document, window, and the object of the tag that the event handler is declared on (could be any tag). This would bring the list to well over five-hundred (500) unsafe names, including atob, bgColor, clear, close, opener, status, write, etc.

  1. ATTRIBUTE_NODE
  2. CDATA_SECTION_NODE
  3. COMMENT_NODE
  4. DOCUMENT_FRAGMENT_NODE
  5. DOCUMENT_NODE
  6. DOCUMENT_POSITION_CONTAINED_BY
  7. DOCUMENT_POSITION_CONTAINS
  8. DOCUMENT_POSITION_DISCONNECTED
  9. DOCUMENT_POSITION_FOLLOWING
  10. DOCUMENT_POSITION_IMPLEMENTATION_SPECIFIC
  11. DOCUMENT_POSITION_PRECEDING
  12. DOCUMENT_TYPE_NODE
  13. ELEMENT_NODE
  14. ENTITY_NODE
  15. ENTITY_REFERENCE_NODE
  16. NOTATION_NODE
  17. PROCESSING_INSTRUCTION_NODE
  18. TEXT_NODE
  19. accept
  20. acceptCharset
  21. action
  22. addBehavior
  23. addEventListener
  24. addEventSource
  25. addRepetitionBlock
  26. addRepetitionBlockByIndex
  27. all
  28. appendChild
  29. applyElement
  30. ariaBusy
  31. ariaChecked
  32. ariaControls
  33. ariaDescribability
  34. ariaDisabled
  35. ariaExpanded
  36. ariaFlowto
  37. ariaHaspopup
  38. ariaHidden
  39. ariaInvalid
  40. ariaLabelledby
  41. ariaLevel
  42. ariaMultiselect
  43. ariaOwns
  44. ariaPosinset
  45. ariaPressed
  46. ariaReadonly
  47. ariaRequired
  48. ariaSecret
  49. ariaSelected
  50. ariaSetsize
  51. ariaValuemax
  52. ariaValuemin
  53. ariaValuenow
  54. attachEvent
  55. attributes
  56. autocomplete
  57. baseURI
  58. behaviorUrns
  59. blockDiraction
  60. blur
  61. canHaveChildren
  62. canHaveHTML
  63. checkValidity
  64. childElementCount
  65. childNodes
  66. children
  67. className
  68. clearAttributes
  69. click
  70. clientHeight
  71. clientLeft
  72. clientTop
  73. clientWidth
  74. cloneNode
  75. compareDocumentPosition
  76. componentFromPoint
  77. constructor
  78. contains
  79. contentEditable
  80. currentStyle
  81. data
  82. detachEvent
  83. dir
  84. dispatchEvent
  85. dispatchFormChange
  86. dispatchFormInput
  87. document
  88. dragDrop
  89. elements
  90. encoding
  91. enctype
  92. fireEvent
  93. firstChild
  94. firstElementChild
  95. focus
  96. getAdjacentText
  97. getAttribute
  98. getAttributeNS
  99. getAttributeNode
  100. getAttributeNodeNS
  101. getBoundingClientRect
  102. getClientRects
  103. getElementsByClassName
  104. getElementsByTagName
  105. getElementsByTagNameNS
  106. getExpression
  107. getFeature
  108. getUserData
  109. hasAttribute
  110. hasAttributeNS
  111. hasAttributes
  112. hasChildNodes
  113. hasOwnProperty
  114. hideFocus
  115. id
  116. innerHTML
  117. innerText
  118. insertAdjacentElement
  119. insertAdjacentHTML
  120. insertAdjacentText
  121. insertBefore
  122. isContentEditable
  123. isDefaultNamespace
  124. isDefaultNamespaceURI
  125. isDisabled
  126. isEqualNode
  127. isMultiLine
  128. isPrototypeOf
  129. isSameNode
  130. isSupported
  131. isTextEdit
  132. item
  133. lang
  134. language
  135. lastChild
  136. lastElementChild
  137. length
  138. localName
  139. lookupPrefix
  140. mergeAttributes
  141. method
  142. moveRepetitionBlock
  143. msBlockProgression
  144. msBoxSizing
  145. name
  146. namedItem
  147. namespaceURI
  148. nextSibling
  149. nodeName
  150. nodeType
  151. nodeValue
  152. normalize
  153. offsetHeight
  154. offsetWidth
  155. onOffBehavior
  156. onabort
  157. onactivate
  158. onbeforeactivate
  159. onbeforecopy
  160. onbeforecut
  161. onbeforedeactivate
  162. onbeforeeditfocus
  163. onbeforepaste
  164. onblur
  165. onchage
  166. onclick
  167. onclosecapture
  168. oncontextmenu
  169. oncopy
  170. oncut
  171. ondblclick
  172. ondeactivate
  173. ondrag
  174. ondragend
  175. ondragenter
  176. ondragleave
  177. ondragover
  178. onerror
  179. onfocus
  180. onfocusin
  181. onfocusout
  182. onhelp
  183. oninput
  184. onkeydown
  185. onkeypress
  186. onkeyup
  187. onmousedown
  188. onmouseenter
  189. onmouseleave
  190. onmousemove
  191. onmousemultiwheel
  192. onmouseout
  193. onmouseover
  194. onmouseup
  195. onmousewheel
  196. onmove
  197. onmoveend
  198. onmovestart
  199. onpaste
  200. onpropertychange
  201. onreadystatechange
  202. onresize
  203. onresizeend
  204. onresizestart
  205. onscroll
  206. onsearch
  207. onselect
  208. onselectstart
  209. ontimeerror
  210. onunload
  211. outerHTML
  212. outerText
  213. ownerDocument
  214. parentNode
  215. parentTextEdit
  216. prefix
  217. previousElementSibling
  218. previousSibling
  219. propertyIsEnumerable
  220. querySelector
  221. querySelectorAll
  222. quotes
  223. releaseCapture
  224. removeAttribute
  225. removeAttributeNS
  226. removeAttributeNode
  227. removeBehavior
  228. removeChild
  229. removeEventListener
  230. removeEventSource
  231. removeExpression
  232. removeNode
  233. removeRepetitionBlock
  234. repeatMax
  235. repeatMin
  236. repeatStart
  237. repetitionBlocks
  238. repetitionIndex
  239. repetitionTemplate
  240. repetitionType
  241. replace
  242. replaceAdjacentText
  243. replaceChild
  244. replaceNode
  245. reset
  246. resetFromData
  247. role
  248. runtimeStyle
  249. schemaTypeInfo
  250. scopeName
  251. scrollByLines
  252. scrollByPages
  253. scrollHeight
  254. scrollIntoView
  255. scrollLeft
  256. scrollTop
  257. scrollWidth
  258. selectNodes
  259. selectSingleNode
  260. setActive
  261. setAttributeNS
  262. setAttributeNode
  263. setAttributeNodeNS
  264. setCapture
  265. setExpression
  266. setIdAttribute
  267. setIdAttributeNS
  268. setIdAttributeNode
  269. setUserData
  270. sourceIndex
  271. spellcheck
  272. style
  273. submit
  274. swapNode
  275. tabIndex
  276. tagName
  277. tagUrn
  278. target
  279. templateElements
  280. text
  281. textContent
  282. title
  283. toLocaleString
  284. toString
  285. uniqueID
  286. unselectable
  287. unwatch
  288. urns
  289. valueOf
  290. watch
  291. window

Early Adopter

Safari 3 has implemented the behavior specified in more closely than Safari 2. Safari 3 replaces more pre-existing properties of a FORM when an element with the same name is added.

Table of Contents