Insert link facilitates phishing attacks

Ashish Gupta ashmew2 at
Wed Nov 20 20:36:45 EST 2013

As Mark said,  if you just let your browser open the link that is being
shown, the browser will simply open twitter<not a dot>com , which will
ultimately fail with something like a "Please check the URL. Page not

Wouldn't that take care of the problem automatically ?

- Ashish
On 21 Nov 2013 06:53, "Thijs Alkemade" <thijsalkemade at> wrote:

> On 21 nov. 2013, at 01:59, Coyo <coyo at> wrote:
> > He's got a point. It wouldn't exactly be a breaking change to silently
> change the anchor's target to the link in the description. descriptions
> such as "click here" are legitimate, but if "" links to
> something that isn't "" or something within the
> same domain, I can't think of any legitimate use cases that would break if
> this were filtered.
> Then they can still send “twitter,com”, “twitter ̣com”, “twitter¸com”…
> there are probably hundreds of UTF8 characters that, when not examined
> closely, can be confused for a dot. Or hidden characters that will throw
> off your domain name check. Figuring out what might look like an URL to
> users is not as easy as it might sound.
> Thijs
> _______________________________________________
> Devel mailing list
> Devel at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Devel mailing list