Javascript or no, the href attribute of an <a> tag does not have to be a URL in order for it to be clickable. (Whether or not it will do anything useful is another matter.)
> Or do you mean clicking on it could take you somewhere other than where you would go if you chose "copy url" and manually pasted it into the address bar?
This is possible with Javascript - capture the click event before the browser's <a> tag handling and load any page you want.
> is that true [possible] even on a forum like this that makes you post comments as plain text?
No. /u/mynewtb was talking about clickable hyperlinks where clicking on them takes you to a different place than the tag's href. On sites like HN, where all comments are plain text, there are no hyperlinks in comments. On sites like Reddit, you can use Markdown to add clickable hyperlinks to your comments, but you can't add <script> tags in order to manipulate what clicking the pyperlink does.
In either case, an attacker would have to do XSS in order to change where you go when you click a link.
This attack / trick is entirely feasible within first-party content or third-party content that is allowed to use external Javascript or inline <script> tags (for example, HTML email).
Javascript or no, the href attribute of an <a> tag does not have to be a URL in order for it to be clickable. (Whether or not it will do anything useful is another matter.)
> Or do you mean clicking on it could take you somewhere other than where you would go if you chose "copy url" and manually pasted it into the address bar?
This is possible with Javascript - capture the click event before the browser's <a> tag handling and load any page you want.
> is that true [possible] even on a forum like this that makes you post comments as plain text?
No. /u/mynewtb was talking about clickable hyperlinks where clicking on them takes you to a different place than the tag's href. On sites like HN, where all comments are plain text, there are no hyperlinks in comments. On sites like Reddit, you can use Markdown to add clickable hyperlinks to your comments, but you can't add <script> tags in order to manipulate what clicking the pyperlink does.
In either case, an attacker would have to do XSS in order to change where you go when you click a link.
This attack / trick is entirely feasible within first-party content or third-party content that is allowed to use external Javascript or inline <script> tags (for example, HTML email).