Named element IDs can be referenced as JavaScript globals

The global scope polluter has pretty bad performance and interop surprises, you shouldn't depend on it and instead use getElementById even if it's a bit more verbose.

It uses a property interceptor which is fairly slow in v8:

https://source.chromium.org/chromium/chromium/src/+/main:out...

to call this mess of security checks:

https://source.chromium.org/chromium/chromium/src/+/main:thi...

which has this interop surprise:

https://source.chromium.org/chromium/chromium/src/+/main:thi...

which in the end scans the document one element at a time looking for a match here:

https://source.chromium.org/chromium/chromium/src/+/main:thi...

In contrast getElementById is just a HashMap lookup, only does scanning if there's duplicates for that id, and never surprisingly returns a list!

I'm surprised to find that this trick still works even in the new backwards-incompatible JavaScript Modules (using <script type="module">), which enables "strict" mode and a number of other strictness improvements by default.

I believe it works because the global object ("globalThis") is the Window in either case; this is why JavaScript Modules can refer to "window" in the global scope without explicitly importing it.

    <!DOCTYPE html><body>
        <div id="cool">cool</div>
        <script>
            console.log(this); // Window
            console.log(globalThis); // Window
            console.log("script", cool.innerHTML); // script cool
        </script>
        <script type="module">
            console.log(this); // undefined
            console.log(globalThis); // Window
            console.log("module", cool.innerHTML); // module cool
        </script>
    </body></html>

This seems like a missed opportunity. JavaScript Modules should have been required to "import {window} from 'dom'" or something, clearing out its global namespace.

I don't think this article is complete. It mentions no pollution, which is true of window and most HTML elements, but not always. Check this out, you can set an img name to getElementById and now document.getElementById is the image element!

Here's a minimal example (https://jsfiddle.net/wc5dn9x2/):

    <img id="asdf" name="getElementById" />
    <script>
        // The img object
        console.log(document.getElementById);

        // TypeError: document.getElementById is not a function :D
        console.log(document.getElementById('asdf'));
    </script>

I tried poking around for security vulnerabilities with this but couldn't find any :(

It seems that the names overwrite properties on document with themselves only for these elements: embed form iframe img object

Edit: Here's how I found this: https://jsfiddle.net/wc5dn9x2/1/

Another similar gotcha is that the global-scoped `name` variable must be a string. See https://developer.mozilla.org/en-US/docs/Web/API/Window/name for details.

    var name = true;
    typeof name; // "string", not "boolean"

Luckily, this is not true within ES modules which you probably use most of the time anymway.

    <script>
        var _value = "test value";
        Object.defineProperty(window, "testName", {
            get: () => _value,
            set: (value) => { _value = String(value) },
        });
    </script>
    <script>
        var testName = {};
        // prints [object Object] string
        console.log(testName, typeof testName);
        var name = {};
        // prints [object Object] string
        console.log(name, typeof name);
    </script>

This is one of those things that pops up every year or two years. Unfortunately, the person writing about the new discovered weird trick almost always fails to precede the article with a big, red, bold "Please don't ever do this".

This has been a thing since the 90s. I really wish we'd done away with it for any document that specifies itself as HTML5.

It's great for hacking a tiny script together, however.

This always reminded me of PHP’s infamous register_globals. For those unfamiliar, anything in the ‘$_REQUEST’ array (which itself comprises of $_POST, $_GET, and $_COOKIE merged together) is added to the global scope. So if you made a request to index.php?username=root, $username would contain “root” unless it was explicitly initialized it before it was used.

iirc this doesn't work in Firefox? or at least it doesn't work the same way as in Chrome. I developed a tiny home-cooked app[0] that depended on this behavior using desktop Chrome which then broke when I tried to use it on mobile Firefox. I then switched it to using

  document.getElementById

like I should have and everything worked fine. Like others in this thread, I recommend not relying on this behavior.

[0]: https://www.robinsloan.com/notes/home-cooked-app/

> It is implemented differently in browsers

In 2022, that alone is enough to wipe it from my toolbox as a web developer. Ain't nobody got time for that.

(... there are lots of other reasons it'd be bad practice to rely on this as well, although it's nice for debugging when available).

Seems like something that could have been made safer just by name spacing it a bit better.

Something like “window.elements.myDiv”? I wonder why the decision to go straight to the root.

  <div id="foo"></div>
  <script>
    const { foo } = document.all
    // do something with foo
  </script>

    // proxy to simplify loading and caching of getElementById calls
    const $id = new Proxy({}, {
        // get element from cache, or from DOM
        get: (tgt, k, r) => (tgt[k] || ((r = document.getElementById(k)) && (tgt[k] = r))),
        
        // prevent overwriting
        set: () => $throw(`Attempt to overwrite id cache key!`)
    });

    <div id="something></div>

    $id.something.innerHTML = 'inside!';

I saw this "shortcut" used in code snippets, on online JS/CSS/HTML editors like JSFiddle. It did not even occur to me this was part of JS spec, I thought the editor was generating code behind my back!

Now I'm worried of using IDs and finding issues with globals in JavaScript. Seems to be a curious issue to be debugged.

I discovered this the hard way and I am still really torn. The entire window global object is just a minefield.

>To add insult to the injury, named elements are accessible as global variables only if the names contain nothing but letter.

This doesn't seem to be true as shown within this fiddle: https://jsfiddle.net/L785cpdo/1/

Bear in mind that only undefined elements will be declared this way

For me, the disadvantage above any listed on the blog is that if I saw this global variable referenced in some code (especially old code, where some parts might be defunct), I would have absolutely no idea where it came from, and I bet a lot of others would struggle too.

Isn't the opposite of

>So, if a DOM element has an id that is already defined as a global, it won’t override the existing one.

So, if a global has name of the id of a DOM element, it won’t override the existing one?

Wouldn't it be clearer to say globals always before DOM ids?

This was mostly useful back in the days when we had to manually query dom during development and debugging. I've seen some pretty horrible things but never have I seen this in a codebase, not even in a commit

I've definitely used this shortcut to make CodePens less verbose…

I wouldn't use it in production, but it's handy for banging together a proof-of-concept.

It hurts

It would make sense to disable this with new release of HTML, for example if the author uses an HTML6 doctype.

And named form controls are accessible as properties of the same name on their form element.

*rigamorale

Should read “rigamarole”

This is my favorite HTML and JS feature!

I don't want to sound like I have an axe to grind (but I do), but this is the kind of feature/wart that shows the age of the HTML/CSS/JS stack.

The whole thing is ripe for a redo. I know they get a lot of hate, but of all the big players in this space I think FB is the best equipped to do this in a way that doesn't ruin everything. I just wonder if they have an incentive (maybe trying to break the Google/MS hegemony on search?).