Link in Title Attribute

Discussion in 'HTML' started by Blinky the Shark, Sep 28, 2007.

  1. I'd say this was a weird one. Someone in a not-HTML group (a browser
    group it was) this morning asked for a way to have the user that clicks
    on a link be sent to a URL in the anchor's title attribute rather than
    to the hreffed URL.

    Anyone ever heard of such?

    Yes, I have the thread set for "watch". I just thought it might be an
    interesting thing to look at here.


    --
    Blinky RLU 297263
    Killing all posts from Google Groups
    The Usenet Improvement Project moved to this site August 28th:
    http://improve-usenet.org
    Blinky the Shark, Sep 28, 2007
    #1
    1. Advertising

  2. Scripsit Blinky the Shark:

    > I'd say this was a weird one. Someone in a not-HTML group (a browser
    > group it was) this morning asked for a way to have the user that
    > clicks on a link be sent to a URL in the anchor's title attribute
    > rather than to the hreffed URL.


    It's of course impossible in HTML. Playing with JavaScript, you could modify
    the href attribute value when the link is clicked on, or you could directly
    tell the browser to go to a specific address. User agents with JavaScript
    disabled or not in use would naturally keep using the original href
    attribute. Maybe this is the idea? Cheating indexing robots to think that
    the page links to page X when it in fact "links" to Y when JavaScript is
    enabled.

    > Anyone ever heard of such?


    Not about that particular technical idea, but I've seen a lot of crap on the
    Web and many "clever" ideas of cheating, shooting oneself on the foot and
    spitting at users.

    --
    Jukka K. Korpela ("Yucca")
    http://www.cs.tut.fi/~jkorpela/
    Jukka K. Korpela, Sep 28, 2007
    #2
    1. Advertising

  3. Blinky the Shark wrote:
    > I'd say this was a weird one. Someone in a not-HTML group (a browser
    > group it was) this morning asked for a way to have the user that clicks
    > on a link be sent to a URL in the anchor's title attribute rather than
    > to the hreffed URL.
    >
    > Anyone ever heard of such?
    >
    > Yes, I have the thread set for "watch". I just thought it might be an
    > interesting thing to look at here.
    >
    >


    It would be nasty eh? Well seems to work...I would say the JavaScript
    would go in external file to complete the deception. The link will of th
    thatway.html and not thisway.html, of course when JavaScript is enabled:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
    "http://www.w3.org/TR/html4/strict.dtd">
    <html>
    <head>
    <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
    <meta http-equiv="content-language" content="en-us">
    <title>Deception</title>

    <script type="text/javascript">

    function trick(e){
    var me;
    if(!e) var e=window.event;
    if(e.target) me=e.target; // W3C
    else if(e.srcElement) me=e.srcElement; // MSIE
    if(me.nodeType == 3) me=me.parentNode; // Safari bug els with TEXT

    me.href=me.title; // now do the switcheroo!
    }

    function initTrick(){
    var dalink=document.getElementById('fakeout');

    if(dalink.addEventListener){
    dalink.addEventListener('click', trick, false);
    }
    else if(dalink.attachEvent){ //MS IE support
    dalink.attachEvent('onclick', trick);
    }
    }

    // attach event after page loads
    if( window.addEventListener ) {
    window.addEventListener('load',initTrick,false); //legacy
    } else if( document.addEventListener ) {
    document.addEventListener('load',initTrick,false); //proper
    } else if( window.attachEvent ) {
    window.attachEvent("onload", initTrick); //IE only
    }

    </script>

    </head>
    <body>
    <p>Well, let's see here...
    <a id="fakeout" href="thisway.html" title="thatway.html">Fake This Way</a>
    </p>
    </body>
    </html>



    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Sep 28, 2007
    #3
  4. Jukka K. Korpela wrote:
    > Scripsit Blinky the Shark:
    >
    >> I'd say this was a weird one. Someone in a not-HTML group (a browser
    >> group it was) this morning asked for a way to have the user that
    >> clicks on a link be sent to a URL in the anchor's title attribute
    >> rather than to the hreffed URL.

    >
    > It's of course impossible in HTML. Playing with JavaScript, you could modify
    > the href attribute value when the link is clicked on, or you could directly
    > tell the browser to go to a specific address. User agents with JavaScript
    > disabled or not in use would naturally keep using the original href
    > attribute. Maybe this is the idea? Cheating indexing robots to think that


    If anything interesting appears from that poster, I'll report back in
    this thread.

    If anyone is interested that uses or is willing to set up
    news.mozilla.org, the query appeared in mozilla.support.firefox and the
    thread has the Subject header

    clickable title

    > the page links to page X when it in fact "links" to Y when JavaScript is
    > enabled.


    >> Anyone ever heard of such?

    >
    > Not about that particular technical idea, but I've seen a lot of crap on the
    > Web and many "clever" ideas of cheating, shooting oneself on the foot and
    > spitting at users.


    I'd classify this along with those. Naturally my first knee-jerk
    response was "deception", but it doesn't seem very deceptive to have the
    user directed to a URL that he's likely to plainly see on hovering and
    which is just as visible in the anchor as is the href.


    --
    Blinky RLU 297263
    Killing all posts from Google Groups
    The Usenet Improvement Project moved to this site August 28th:
    http://improve-usenet.org
    Blinky the Shark, Sep 28, 2007
    #4
  5. Jonathan N. Little wrote:
    > Blinky the Shark wrote:
    >> I'd say this was a weird one. Someone in a not-HTML group (a browser
    >> group it was) this morning asked for a way to have the user that clicks
    >> on a link be sent to a URL in the anchor's title attribute rather than
    >> to the hreffed URL.
    >>
    >> Anyone ever heard of such?
    >>
    >> Yes, I have the thread set for "watch". I just thought it might be an
    >> interesting thing to look at here.

    >
    > It would be nasty eh? Well seems to work...I would say the JavaScript
    > would go in external file to complete the deception. The link will of th
    > thatway.html and not thisway.html, of course when JavaScript is enabled:


    Remind me to make sure NoScript has your sites in its crosshairs. ;)

    <snip fiendish but creative code> :)


    --
    Blinky RLU 297263
    Killing all posts from Google Groups
    The Usenet Improvement Project - http://improve-usenet.org
    Blinky the Shark, Sep 28, 2007
    #5
  6. Scripsit Blinky the Shark:

    > I'd classify this along with those. Naturally my first knee-jerk
    > response was "deception", but it doesn't seem very deceptive to have
    > the user directed to a URL that he's likely to plainly see on
    > hovering and which is just as visible in the anchor as is the href.


    It might be intended to deceive search engines rather than users directly.
    But such deception, too, is ultimately aimed at deceiving people.

    I have to disagree with your note somewhat, though. The "tooltip" effect is
    not ubiquous, it is not required by any specification, etc. Neither is the
    "status line" effect (displaying the URL in the browser's status line on
    mouseover), but it's something that _has_ been meant for showing the URL,
    whereas the title attribute is not meant for that but for use as "advisory
    title".

    The direct deception, whether intentional or not, arises from the fairly
    natural user behavior of looking at the status line to see the URL.

    --
    Jukka K. Korpela ("Yucca")
    http://www.cs.tut.fi/~jkorpela/
    Jukka K. Korpela, Sep 29, 2007
    #6
  7. Blinky the Shark

    BigDaddyBS Guest

    "Blinky the Shark" <> wrote in message
    news:...
    > Jonathan N. Little wrote:
    >> Blinky the Shark wrote:
    >>> I'd say this was a weird one. Someone in a not-HTML group (a browser
    >>> group it was) this morning asked for a way to have the user that clicks
    >>> on a link be sent to a URL in the anchor's title attribute rather than
    >>> to the hreffed URL.
    >>>
    >>> Anyone ever heard of such?
    >>>
    >>> Yes, I have the thread set for "watch". I just thought it might be an
    >>> interesting thing to look at here.

    >>
    >> It would be nasty eh? Well seems to work...I would say the JavaScript
    >> would go in external file to complete the deception. The link will of th
    >> thatway.html and not thisway.html, of course when JavaScript is enabled:

    >
    > Remind me to make sure NoScript has your sites in its crosshairs. ;)
    >
    > <snip fiendish but creative code> :)
    >
    >
    > --
    > Blinky RLU 297263
    > Killing all posts from Google Groups
    > The Usenet Improvement Project - http://improve-usenet.org


    Weird? Yes. To fake out search engines? Possibly.

    But the way I see it, Jonathan, who posted the "fiendish but creative code"
    just gave phishers, scammers, and malware senders ANOTHER way to get people
    to go to sites where the sole purpose in life is to cheat the poor slobs who
    don't see the cheat.

    First thing I thought of when I read the above was something like the
    following:

    "Use this link to change your Login info: Mobile Fun" [underlying link:
    http:// 219.70.221.5/]

    which is one of the scam/malware emails that can be found at my page
    http://www.orangefrogproductions.com/ofp2s_malware_email_example_009-011_page2.shtml.

    From my experience, those who try to hide to where a page links, are trying
    to pass viruses, spyware, porn, phishing pages, etc., not cheat the search
    engines. Yes, those of us "in the know" can rollover the link and see the
    underlying one, and the title, so if a link appears in that attribute that
    doesn't match, we can be forwarned. But "Average Joe/Jane" user don't
    realize the implications. (One of the reasons for my Scams info.)

    Please be careful the code you post. (This is one of the first times I've
    seen this type of questions and full code posted.) - You might just be
    giving the "bad guys" more ammo! (It's nice to know how its done, but why
    show THEM?)

    (Sorry if I come off like being on a "high horse", but GEEZE!)

    --
    BigDaddyBS
    BigDaddyBS, Sep 29, 2007
    #7
  8. BigDaddyBS wrote:

    > But the way I see it, Jonathan, who posted the "fiendish but creative code"
    > just gave phishers, scammers, and malware senders ANOTHER way to get people
    > to go to sites where the sole purpose in life is to cheat the poor slobs who
    > don't see the cheat.


    Not really. My code was not that unique, nor creative. Most of the link
    scamming is found in emails. If you allow JavaScript to run in email
    and are dumb enough to click on links within emails, especially from
    unknown sources you deserve what you get!

    Of course it also helps to have client software that shows the status
    bar by default, has option to block JavaScript manipulation of the
    status bar. Punycodes those spoofed URLs...and last but not least a
    little common sense in Layer 8.

    > From my experience, those who try to hide to where a page links, are trying
    > to pass viruses, spyware, porn, phishing pages, etc., not cheat the search
    > engines. Yes, those of us "in the know" can rollover the link and see the
    > underlying one, and the title, so if a link appears in that attribute that
    > doesn't match, we can be forwarned. But "Average Joe/Jane" user don't
    > realize the implications. (One of the reasons for my Scams info.)


    > Please be careful the code you post. (This is one of the first times I've
    > seen this type of questions and full code posted.) - You might just be
    > giving the "bad guys" more ammo! (It's nice to know how its done, but why
    > show THEM?)
    >
    > (Sorry if I come off like being on a "high horse", but GEEZE!)


    As I said pure discussion and not very unique. There are much more
    sophisticated was to misdirect a link.


    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Sep 29, 2007
    #8
  9. Blinky the Shark

    BigDaddyBS Guest

    "Jonathan N. Little" <> wrote in message
    news:bcad4$46fe9d18$40cba7bd$...
    > BigDaddyBS wrote:
    >
    >> But the way I see it, Jonathan, who posted the "fiendish but creative
    >> code" just gave phishers, scammers, and malware senders ANOTHER way to
    >> get people to go to sites where the sole purpose in life is to cheat the
    >> poor slobs who don't see the cheat.

    >
    > Not really. My code was not that unique, nor creative. Most of the link
    > scamming is found in emails. If you allow JavaScript to run in email and
    > are dumb enough to click on links within emails, especially from unknown
    > sources you deserve what you get!


    My point is that there are VERY many people who only know email and get to
    the internet BY clicking on links in them. Few of them know to (or HOW to)
    check each link, and many of them are scammed every day. Dumb doesn't enter
    into it. "Inexperienced" and "naive" do NOT equate to "dumb". SHOULD they
    know better? Sure, but many don't, and don't know how to use search engines
    to find out about it. Should they have internet access if they are that
    naive? Of course. For some people, it's their only contact with the "outside
    world". For example, my late grandmother, 91yo - died this year, kept in
    contact with her boys, her grandkids and great-grandkids via email and the
    occassional IM. And she had our family to tell her what to watch out for.
    But there are many who don't have that "backup" to help them. Why should
    they have to suffer the losses imposed by the "bad guys"? According to your
    statement, they deserve it. I disagree, wholeheartedly!

    > Of course it also helps to have client software that shows the status bar
    > by default, has option to block JavaScript manipulation of the status bar.
    > Punycodes those spoofed URLs...and last but not least a little common
    > sense in Layer 8.


    Whose common sense? Many people have tons of common sense, but don't know
    that much about computers (see above). And again, why should those without
    CCS (Computer Common Sense) be made to suffer?

    >> From my experience, those who try to hide to where a page links, are
    >> trying to pass viruses, spyware, porn, phishing pages, etc., not cheat
    >> the search engines. Yes, those of us "in the know" can rollover the link
    >> and see the underlying one, and the title, so if a link appears in that
    >> attribute that doesn't match, we can be forwarned. But "Average Joe/Jane"
    >> user don't realize the implications. (One of the reasons for my Scams
    >> info.)

    >
    >> Please be careful the code you post. (This is one of the first times I've
    >> seen this type of questions and full code posted.) - You might just be
    >> giving the "bad guys" more ammo! (It's nice to know how its done, but why
    >> show THEM?)
    >>
    >> (Sorry if I come off like being on a "high horse", but GEEZE!)

    >
    > As I said pure discussion and not very unique. There are much more
    > sophisticated was to misdirect a link.


    My point there is - unique or not, unsophisticated or not - there are those
    HS and younger buttheads who will try anything (no matter who it hurts) for
    fun. Why should we TEACH them - give them complete code (as you did) to
    screw up other people's lives and computers, and actually EXPLAIN to them
    how to do it? Make them search harder, and possibly have to pull the pieces
    together themselves. You can qualify it as "pure discussion" if you like,
    but that means that someone could post full code for viruses, and get away
    with it by saying the same thing. (And I'm sure there are sites and
    newsgroups with ALL of that crap on them!) Why make it so easy to find?

    > --
    > Take care,
    >
    > Jonathan
    > -------------------
    > LITTLE WORKS STUDIO
    > http://www.LittleWorksStudio.com


    Jonathan, your motives may have been pure. I'm not slamming you as a person
    (don't know you well enough! :) ), just the posting of actual, full code to
    do nasty things, again, no matter how "pure" the original poster (other
    newsgroup) meant it.

    Ok... I think I've "vented my spleen". All I'm saying is that we think about
    what we are posting, and what it could do to those "dumb" people. Huh?

    --
    bigdaddybs
    BigDaddyBS, Sep 29, 2007
    #9
  10. While the city slept, Jonathan N. Little () feverishly
    typed...

    > If you allow JavaScript to run in email and are dumb enough
    > to click on links within emails, especially from unknown
    > sources you deserve what you get!


    I can't speak for current versions (because I don't have one), but I
    remember when Outlook Express (probably the most widely used email client on
    the planet) allowed javascript to be executed in emails / newsgroup messages
    out of the box. I found this out when some scrote posted a message to a
    newsgroup that contained "while(1==1) { window.open; }" in it... After I
    rebooted the PC I found out that OE uses the IE internet "safety" settings,
    and by default used the Trusted setting. Altering that setting was the only
    way to stop OE from executing Javascript - this option wasn't available in
    any of OE's own settings.

    So your comment that "If you allow javascript to run in email ... you
    deserve what you get" is not really fair because many people may be allowing
    javascript to run in emails without even knowing it.

    Cheers,
    Nige

    --
    Nigel Moss http://www.nigenet.org.uk
    Mail address will bounce. | Take the DOG. out!
    "Your mother ate my dog!", "Not all of him!"
    nice.guy.nige, Oct 1, 2007
    #10
  11. nice.guy.nige wrote:
    > While the city slept, Jonathan N. Little () feverishly
    > typed...
    >
    >> If you allow JavaScript to run in email and are dumb enough
    >> to click on links within emails, especially from unknown
    >> sources you deserve what you get!

    >
    > I can't speak for current versions (because I don't have one), but I
    > remember when Outlook Express (probably the most widely used email client on
    > the planet) allowed javascript to be executed in emails / newsgroup messages
    > out of the box. I found this out when some scrote posted a message to a
    > newsgroup that contained "while(1==1) { window.open; }" in it... After I
    > rebooted the PC I found out that OE uses the IE internet "safety" settings,
    > and by default used the Trusted setting. Altering that setting was the only
    > way to stop OE from executing Javascript - this option wasn't available in
    > any of OE's own settings.
    >


    I dumped that turkey back in the 90's! Maybe we should put up a banner,
    hirer a pilot and sky write, don't use OE for your email. Just about
    anything else would be better! I still have old Communicator 4.61 on for
    test and it has the ability to disable JavaScript in mail and
    newsgroups, although back in 99 it was a more naive time it was on by
    default!

    > So your comment that "If you allow javascript to run in email ... you
    > deserve what you get" is not really fair because many people may be allowing
    > javascript to run in emails without even knowing it.


    Maybe they should learn. I love this new Public Service ad that they are
    running in the US lately showing a scruffy guy trying to pull the old
    fake check scam to a lady on a bus. In person it very obvious that it's
    bogus.. the ad tries to show that in an email it still stinks.

    --
    Take care,

    Jonathan
    -------------------
    LITTLE WORKS STUDIO
    http://www.LittleWorksStudio.com
    Jonathan N. Little, Oct 1, 2007
    #11
  12. nice.guy.nige wrote:
    > While the city slept, Jonathan N. Little () feverishly
    > typed...
    >
    >> If you allow JavaScript to run in email and are dumb enough
    >> to click on links within emails, especially from unknown
    >> sources you deserve what you get!

    >
    > I can't speak for current versions (because I don't have one), but I
    > remember when Outlook Express (probably the most widely used email client on
    > the planet) allowed javascript to be executed in emails / newsgroup messages
    > out of the box. I found this out when some scrote posted a message to a
    > newsgroup that contained "while(1==1) { window.open; }" in it... After I
    > rebooted the PC I found out that OE uses the IE internet "safety" settings,
    > and by default used the Trusted setting. Altering that setting was the only
    > way to stop OE from executing Javascript - this option wasn't available in
    > any of OE's own settings.
    >
    > So your comment that "If you allow javascript to run in email ... you
    > deserve what you get" is not really fair because many people may be allowing
    > javascript to run in emails without even knowing it.


    I have the fix for that statement, then. "If you use Outlook Express,
    you deserve what you get." :)

    --
    Blinky RLU 297263
    Killing all posts from Google Groups
    The Usenet Improvement Project - http://improve-usenet.org
    Blinky the Shark, Oct 1, 2007
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Klemt
    Replies:
    1
    Views:
    437
    Steve C. Orr, MCSD
    Aug 10, 2003
  2. Replies:
    0
    Views:
    500
  3. Replies:
    1
    Views:
    520
    David
    Apr 24, 2007
  4. rote
    Replies:
    5
    Views:
    902
  5. soonic
    Replies:
    11
    Views:
    1,756
    soonic
    Jul 27, 2011
Loading...

Share This Page