[orbital303]

This is incorrect. Once you get to see the url in the bar, it's too late if you've been redirected to a site with malware. This is an extremely serious security flaw and downplaying it is not going to help anyone.

There is no use for this security hole other than to deceive people. Period.

[markjaquith]

To the contrary, there is an infinite number of uses. And this isn't a hole. This is HOW. JAVASCRIPT. WORKS. Period.

There seems to be a misperception that the URL you see on hover is 100% where you'll go if you click it. No. It's just representing the current state of the href. JS owns the DOM and its interactions. If it wants to intercept a click and rewrite an href or do an e.preventDefault() or redirect with window.location, that is its prerogative. That is the power that it is intended to have. It is this power which makes the modern web work.

If we can't teach people to look at the location bar and check domain names and SSL-related colors and icons, we can't help them avoid phishing. Restricting what basic JS can do so that the possibly fictitious group of people who check the status bar on hover but don't check their location bar can be protected is a terrible, terrible idea.

[aneth4]

There are lots of uses, thus why it is widely used. It's also impossible to fix, as there are other methods of doing the same thing, such as preventDefault.

[batiste]

If your only goal is to send the user to a malicious page with a payload then you don't need any user action.

Just do: document.location.href = "http://malware.com;

And you are done.

[bilawal]

Heck, if you're going to do that.. you don't even need JavaScript.

<meta http-equiv="refresh" content="0; url=http://malware.com />