Page MenuHomePhabricator

Using IDN character mapping bypasses URL blacklists
Closed, DuplicatePublic

Description

Wikipedia blocks, for example, URL shorteners like bit.ly; so (again, for example) the URL http://bit.ly/uRmAhs.qr cannot be added to a page.

A simple change to http://bit.ⓛy/uRmAhs.qr allows the URL to be added to a page.

Other character representations can also be used; see https://shkspr.mobi/blog/2018/11/domain-hacks-with-unusual-unicode-characters/ for an explanation; https://en.wikipedia.org/wiki/User:Pigsonthewing/URL-test for a proof of concept; and https://en.wikipedia.org/w/index.php?title=User:Pigsonthewing/URL-test&oldid=867396474 for a live bit.ly URL

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 5 2018, 1:28 PM
Aklapper renamed this task from Simple trick bypases URL blacklists to Using IDN character mapping bypasses URL blacklists.Nov 5 2018, 1:54 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 26 2018, 3:21 PM