"Clint Bodungen" <[EMAIL PROTECTED]> wrote: > Well, using a straight link like the following works in an HTML email... but > not on a web page: > > <a href="http://[EMAIL PROTECTED]">Microsoft</a> > > However, using this approach still allows the user to see the absolute URL > path in the task bar (with the %01 ommitted).
Not "omitted" but replaced with a (narrow) space. The appearance of the absolute URL in the task bar is not a problem though. Depending on how the URL is contained in the page this can be "fixed" with things such as "onmouseover" (one of the reasons the combination of such a "functional" DOM and scripting is pure evil...) and we have seen spammers do this already. Of course, as the main concern here is only to fool IE users (almost a foregone conclusions because they _are_ IE users...) the old standard "obfuscate the URL in IE's task bar" trick of sticking a few dozen spaces after the spoofed domain and before the "@" (or before the "%01@" in this case) works just fine. > On the other hand... using the button and "unescape()" approach such as the > original example from this thread works from a web page but not from an HTML > email. Because you use a recent enough version of OE or Outlook which defaults to placing Email in the Restricted Sites zone which defaults to not allowing scripting... Other MUAs dependent on IE's HTML rendering ActiveX controls may not be so forgiving and there are other ways to trick this out (see my forthcoming post about refreshes and the possibility of it working from server-side redirects). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
