Liberapay: Punny code Detection Parsing should be implemented on Markdown

ID H1:363049
Type hackerone
Reporter kunal94
Modified 2018-06-07T17:25:42


Hello Liberapay Security Team,


When we insert any URL in Markdown Box in, it reflects on our main profile page. There was main issue which I discovered was about Punny code parsing method which was not enabled on Markdown.

Step to Reproduce

For demonstration, let's take two url. Normal Url - and Punny Code url - аррlе.com

1) Go to, and enter this url like this. 2) Now looking at url,it's not distinguishable ,however another one is punny code.

[Note:Since hackerone report posts detects punnycode ,so I am not inserting https in both urls ,but you can try with this format in the below screenshot.]

3) Go to markdown box and type in this format both the urls and save it. {F306263}

4) After saving,move on to profile front page, and check both the urls are displaying,however when person will click 1st link,it'll redirect to normal ,but second url on clicking will redirect to punny code url. It's because both the urls have been decoded in the same way while in the markdown without any punny code parsing method.


For verification,click on my profile link ,here I already mentioned both urls,check and verify.

Reason to Report

  • Since punnycode is not detecting in markdown,then it'll look exactly the same,isn't it.
  • Judging both the urls which I have mentioned,one can't differentiate between as they look exactly the same before submitting and after submitting in profile page.
  • In this way, one can redirect to another domain.
  • Also ,punny code url can be registered so a person can be redirect to other site.


  • We can initiate punny code parsing or warning link ,where when punny code will be inserted and rendered afterwards in Markdown then ,it should display their original Punny code URL in profile page.
  • So before clicking any link,user can check that it's punny code url and not safe to click in the first place.

Thanks Kunal (Low impact,but still punny code parsing must be initiated in between Markdown Process for URL rendering)


As explained in reason