Insert link facilitates phishing attacks
Thijs Alkemade
thijsalkemade at gmail.com
Wed Nov 20 20:23:31 EST 2013
On 21 nov. 2013, at 01:59, Coyo <coyo at darkdna.net> wrote:
> He's got a point. It wouldn't exactly be a breaking change to silently change the anchor's target to the link in the description. descriptions such as "click here" are legitimate, but if "twitter.com" links to something that isn't "twitter.com/intent/follow" or something within the same domain, I can't think of any legitimate use cases that would break if this were filtered.
Then they can still send “twitter,com”, “twitter ̣com”, “twitter¸com”… there are probably hundreds of UTF8 characters that, when not examined closely, can be confused for a dot. Or hidden characters that will throw off your domain name check. Figuring out what might look like an URL to users is not as easy as it might sound.
Thijs
More information about the Devel
mailing list