Attacker can embed
RTLO character at the following URL https://www.khanacademy.org/computer-programming/link_redirector?url= to trick the user to download suspicious files.
Attacker can even spoof the domain name by adding the following value to the
When the user will click on the link the user will be redirected to
https://moc.rettiwt/ which is a completely different host.
I have also tested some other malformed URLs which can fool user to redirect to other hosts
https://google.com@'#twitter.com (Different domain)
Filter out all the unnecessary special symbols from the URL along with the RTLO char.
#299403 #298 RIGHT TO LEFT OVERRIDE