No problems with: HTTP/HTTPS

When defanging/disarming URL schemes (e.g. with python-defang):

• http becomes hXXp
• https becomes hXXps

So, no problem here.

But what happens with: FTP/FTPS/FXP

But how can these schemes be properly defanged?

• ftp becomes fXp

  • how do I know, if a given URL is defanged or if it's a real URL which just makes use of the File eXchange Protocol (fxp) instead of the normal File Transfer Protocol (ftp)?

• ftps becomes what? fXps?

  • what is the "official defanged" version of ftps?!

• fxp becomes what? fXxp?

  • what is the "official defanged" version of fxp?!

Alternative?

Is there something like a rule of thumb for defanging/disarming: just to make sure that a URL doesn't work anymore within a browser so that the client won't open a malicious URL accidentally?

Link's source indicates it only supports HTTP HTTPS and FTP. Not SFTP, FTPS or FXP. Although support seems as trivial to add by updating the PROTOCOL_TRANSLATIONS list in init.py

FXP:// SFTP:// and FTPS:// are not supported in modern browsers. At best clicking such a URL will show an external application launch dialog. Similar to what you get with a magnet link.

As a rule of thumb; if crippling URLs is the goal. I would replace ':' with something else. Changing the protocol name itself doesn't make the url invalid, just unlikely to be understood/exist. It will still be parsed by extensions, plugins, etc, which may be enough to trigger bad mojo. Changing the colon will render them to strings.