Insert link facilitates phishing attacks

Ashish Gupta ashmew2 at
Wed Nov 20 21:03:47 EST 2013

Probably a helpful post click message box will help the situation,

"The link you are trying to open contains characters that are neither
alphanumeric nor one of [ "-", "." ...] . Should I still proceed?"

- Ashish
On 21 Nov 2013 07:06, "Ashish Gupta" <ashmew2 at> wrote:

> As Mark said,  if you just let your browser open the link that is being
> shown, the browser will simply open twitter<not a dot>com , which will
> ultimately fail with something like a "Please check the URL. Page not
> found.".
> Wouldn't that take care of the problem automatically ?
> - Ashish
> On 21 Nov 2013 06:53, "Thijs Alkemade" <thijsalkemade at> wrote:
>> On 21 nov. 2013, at 01:59, Coyo <coyo at> wrote:
>> > He's got a point. It wouldn't exactly be a breaking change to silently
>> change the anchor's target to the link in the description. descriptions
>> such as "click here" are legitimate, but if "" links to
>> something that isn't "" or something within the
>> same domain, I can't think of any legitimate use cases that would break if
>> this were filtered.
>> Then they can still send “twitter,com”, “twitter ̣com”, “twitter¸com”…
>> there are probably hundreds of UTF8 characters that, when not examined
>> closely, can be confused for a dot. Or hidden characters that will throw
>> off your domain name check. Figuring out what might look like an URL to
>> users is not as easy as it might sound.
>> Thijs
>> _______________________________________________
>> Devel mailing list
>> Devel at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Devel mailing list