Insert link facilitates phishing attacks

Thijs Alkemade thijsalkemade at
Wed Nov 20 20:23:31 EST 2013

On 21 nov. 2013, at 01:59, Coyo <coyo at> wrote:

> He's got a point. It wouldn't exactly be a breaking change to silently change the anchor's target to the link in the description. descriptions such as "click here" are legitimate, but if "" links to something that isn't "" or something within the same domain, I can't think of any legitimate use cases that would break if this were filtered.

Then they can still send “twitter,com”, “twitter ̣com”, “twitter¸com”… there are probably hundreds of UTF8 characters that, when not examined closely, can be confused for a dot. Or hidden characters that will throw off your domain name check. Figuring out what might look like an URL to users is not as easy as it might sound.


More information about the Devel mailing list