>> I guess I'm confused why you think this is a vulnerability... It's
>> simply another way to represent an IP address that browsers grok.
>> Is it obfuscation? Sure. But hell, for the average internet user,
>> a NON-obfuscated IP address is cryptic enough. ;) This is just
>> another way to do it...
>
> Might I suggest reading the specification for URLs. I believe that
> only DNS addresses and decimal dotted quads are "legal". The other
> misrepresentations are not permitted so responding to them is a bug
> for a browser or other URL based tool. If I'm wrong I'd like to know
> with the appropriate URL RFC cited.
>
> {^_^}
I didn't say legal. :) Browsers have a long and rich history of
bending/breaking the "rules" in order to make the browsing experience
faster/better/insert-buzzword-here.
HTML content (web pages, rich email, blah blah blah) is horrifying
nowadays. Standards? Nope, standards get in the way. I wouldn't
be surprised if a vast majority of the HTML clients out there (web
browsers, email clients, etc) exhibit this behavior.
There's a difference between "vulnerability" and "it works anyway".
Honest question - do you believe this is a *vulnerability*, or are
you just irritated because it's happening? :)
Not intending to come across as snarky... I just don't think this
is a bug or vulnerability, but probably considered a "feature".
Benny
--
"Cats land on their feet. Toast lands peanut butter side down. A cat
with toast strapped to its back will hover above the ground in a state
of quantum indecision." -- Unknown
