For example, mastоdon.social isn't mastodon.social (the official instance), first domain is with a lookalike character for the first o in mastodon.social, so in punycode would be xn--mastdon-djg.social which is clearly different.
When Mastodon returns domain blocks from the API, they are normalised to punycode, so the API, despite accepting lookalike characters will result in them appearing as punycode in the response.
I had a look through the code, and from what I can tell there is no code for handling domain punycode normalisation, which may cause unexpected results with this tool if a source blocklist does not do punycode normalisation.
Note: As this project has neither a SECURITY.md file, nor the GitHub Security features enabled, I was not able to disclose this potential issue in a more responsible disclosure manner, without seeking out contributor email addresses (typically a privacy violation).
For example,
mastоdon.socialisn'tmastodon.social(the official instance), first domain is with a lookalike character for the firstoinmastodon.social, so in punycode would bexn--mastdon-djg.socialwhich is clearly different.When Mastodon returns domain blocks from the API, they are normalised to punycode, so the API, despite accepting lookalike characters will result in them appearing as punycode in the response.
I had a look through the code, and from what I can tell there is no code for handling domain punycode normalisation, which may cause unexpected results with this tool if a source blocklist does not do punycode normalisation.
Note: As this project has neither a SECURITY.md file, nor the GitHub Security features enabled, I was not able to disclose this potential issue in a more responsible disclosure manner, without seeking out contributor email addresses (typically a privacy violation).