Hacking the <a> tag in 100 characters

Hacking the <a> tag in 100 characters

I found this quite interesting. Given how simple it is to spoof a link you would figure this is a considerable oversight.

Firefox seems to have it fixed either.
I've tried it.

Links to paypal fine for me?

Could be that I've always used NoScript for years now.

Or, you know, just look at the address bar before you type in anything. lol

Quote:

---

Originally Posted by Robert

Links to paypal fine for me?

Could be that I've always used NoScript for years now.

---

The bug was reported to firefox, opera, chrome. Got fixed.

NoScript probably prevents it too though.

This article is retarded. Why would you change the href on a tag? All you have to do is preventDefault on the event and just set the window location.

Code:

---

function loljacked(event){
    event.preventDefault();
    window.location = 'http://www.google.com';
}
Array.prototype.slice.call(document.querySelectorAll('a')).forEach(function(link){
  link.addEventListener('click', loljacked);
});

---

Open your console and run it.

Quote:

---

Originally Posted by Arcelor

The bug was reported to firefox, opera, chrome. Got fixed.

---

No, it works in Google Chrome unless you open it in a new tab.

Quote:

---

Originally Posted by Jubatus

No, it works in Google Chrome unless you open it in a new tab.

---

It works on firefox too.