When defanging/disarming URL schemes (e.g. with python-defang):
http becomes hXXphttps becomes hXXpsSo, no problem here.
But how can these schemes be properly defanged?
ftp becomes fXp
File eXchange Protocol (fxp) instead of the normal File Transfer Protocol (ftp)?ftps becomes what? fXps?
ftps?!fxp becomes what? fXxp?
fxp?!Is there something like a rule of thumb for defanging/disarming: just to make sure that a URL doesn't work anymore within a browser so that the client won't open a malicious URL accidentally?
Link's source indicates it only supports HTTP HTTPS and FTP. Not SFTP, FTPS or FXP. Although support seems as trivial to add by updating the PROTOCOL_TRANSLATIONS list in init.py
FXP:// SFTP:// and FTPS:// are not supported in modern browsers. At best clicking such a URL will show an external application launch dialog. Similar to what you get with a magnet link.
As a rule of thumb; if crippling URLs is the goal. I would replace ':' with something else. Changing the protocol name itself doesn't make the url invalid, just unlikely to be understood/exist. It will still be parsed by extensions, plugins, etc, which may be enough to trigger bad mojo. Changing the colon will render them to strings.