Please visit A
HREF=http://phisher.com/path/to/page;http://example.com/page/A
Those ones, indeed.
And, IMO easier to detect, and worthy of a higher score:
A HREF=http://phisher.com/page;https://example.com/page/A
Even worse:
A HREF=http://123.456.78.90/page;https://example.com/page/A
You can
Even worse:
A HREF=http://123.456.78.90/page;https://example.com/page/A
You can throw in a few extra points for an onMouseOver clause
that sets the status bar to https ... :)
Would you believe that there is no reasonable way to detect that last one
currently with SA? Which is a shame, since