Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences.
https://exchange.xforce.ibmcloud.com/vulnerabilities/41981
http://www.vupen.com/english/advisories/2008/1347
http://www.securityfocus.com/archive/1/491192/100/0/threaded
http://securityreason.com/securityalert/3833