I came across this suggested edit on Movies.SE this morning. The edit cut out two shortened links (TinyUrl), claiming they linked to a virus, and added a disclaimer not to click said links in the answer, defacing it. I rejected it with the following custom reason:
That's a good intention but also contradicts author's intent, and can't easily be verified. I'll drop that in chat and see, thanks if it's confirmed
I did post it in M&TV chat, asking for advice in future similar situations, but to no avail so far - and I reckon this might be of interest network-wide.
My issue here is that the edit does conflict with author's intent, but if it's done in good faith, it raises an obvious security problem. On the other hand, once I'm presented with someone saying the link is malevolent, I have zero intention of clicking it to check. So, as a reviewer, what action should I take?
Approve: in the present case that makes no sense because of the defacing bit, but barring that it might sound reasonable. I have not checked whether the link is malevolent though, so I could be taking part in the loss of somewhat valuable information.
Improve Edit or Reject and Edit: same thing, as I haven't made sure whether my edit prevents an actual security threat, this doesn't sound optimal.
Reject: but I'm still not sure the links are safe!
Couple of thoughts:
sure, as always I can mod-flag. But I'm guessing at least one mod will have the same question, won't they?
there is a bit of guidance out there basically saying "if you're going to make drastic changes to a post for security concerns, please leave a comment and post your own answer instead". That works fine(ish) with code, but links? How many people read comments to check links in posts aren't malevolent? And posting a new answer without links, in this case, doesn't make sense.
something that comes to mind to check whether the link isn't evil is to try it from a virtual machine, but that's not 100% reliable and isn't something that could/should be expected from curators.
Depends. In the specific case you cite, Reject and Edit would have been the correct choice. In general, I'd always replace shortened URLs with the corresponding elongated versions as that helps users to have a rough idea of where the link is pointing to if they hover their mouse over it. Now your particular issue seems to boil down to "how should I check whether a link is safe without opening it?".
Firstly, as @animuson suggests you could use a redirect checker to detect where the link points to. Then check the target URL using something like Google's Safe Browsing Site Status and VirusTotal, which will let you know if there's any known malware on the site. To get more details about the domain, you could also plug the URL into Wolfram Alpha. Finally, if you do find anything suspicious about the domain, it's best to edit out the link(s) (ideally, without damaging the rest of the post), flag for a moderator and perhaps leave a comment for the OP asking them to add an alternative non-suspicious link instead.