mickey wrote:
<a href="http://google.com"
onclick="this.href='http://yahoo.com'">Spoof link should go to
google</a>
It is even simpler and more compatible:
<a href="http://google.com"
onclick="location='http://yahoo.com'; return false;"Spoof link should go to google</a>
This is part of DOM Level 0, therefore possible since JavaScript 1.1
(NN3; the DOM was still part of the language then), and IE3 -- both
released in August 1996.
both in IE and Firefox, users see google in the status bar and assume
that it will go to mozilla, but then at the last second, once users
click the link, the browser actually goes to yahoo. of course you can
obfuscate this by making the onclick a function, defined in some
external file. this is dangerous!
I would call that harmful, but not dangerous (OK, considering the
content of yahoo.com maybe even that :)).
Users should be aware that such is entirely possible with client-side
scripting. Anybody paranoid enough may disable script support where
the problem will disappear. But client-side scripting can provide many
useful features, so vendors should develop a block feature for such
script-kiddie nonsense as they have for hiding the status bar, e.g.;
the question is: how to detect what is a useful redirection and what
is not?
BTW: This is a *news*group. [psf 4.16]
PointedEars