A person going by “Bilaw.al Hameed” sounded the alarm over the possibility that the href of an anchor tag could be changed by clicking on it. He felt this opened up a security hole and the feature should be disabled.
This is not a new trick. This is how Google’s search results page works.
Inspect the results for a typical search; you’ll see that they look like this:
<a href="http://en.wikipedia.org/wiki/Test_cricket" class="l" onmousedown="return rwt(this,'','','','2','AFQjCNGPXOKClui7vHgzV25lOsr4nAq50g','','0CDgQFjAB','','',event)"> <em>Test</em> cricket - Wikipedia, the free encyclopedia </a>
rwt there probably means rewrite, as in, rewrite the URL. Hold the mouse down on the element and watch it change to:
<a href="/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CDgQFjAB&url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FTest_cricket&ei=BBlGUZXbLdLSqAHKkoDQBQ&usg=AFQjCNGPXOKClui7vHgzV25lOsr4nAq50g" class="l" onmousedown="return rwt(this,'','','','2','AFQjCNGPXOKClui7vHgzV25lOsr4nAq50g','','0CDgQFjAB','','',event)"> <em>Test</em> cricket - Wikipedia, the free encyclopedia </a>
And that’s why, when you hover, the link-preview appears to show you that you’re going to
en.wikipedia.org, but if you click you are actually going to a Google page which redirects you to what you wanted. They do this to track the effectiveness of their search results (with the side effect of learning what you clicked on).
A version of this was posted to Reddit’s /r/netsec.