how can you inject malicious code into an innocent-looking URL?

I wrote a blog a while back about a security flaw in iOS's Safari Mobile browser. Which pretty much allows you to mask a URL. The hole was fixed with iOS 5.2 I believe and the hole I know for a fact is no longer available in iOS 6.x. But in short people can find such security holes in certain types of web browsers, then use them to their advantage. In the case of iOS it was pretty much just a case of using some sloppy JavaScript with iframes. Like the following.

<script type="text/javascript">
document.getElementById('one').onclick = function() {
    myWindow = window.open('http://www.apple.com', 'eintitel', 'width=200,height=100,location=yes');
    myWindow.document.write("<html><head></head><body><iframe src=\"http://techmeout.org\");></iframe></scri+pt></body></html>");
    myWindow.focus();
    return false;
}
</script>

As you can see there are two URLs: http://www.apple.com and my blog. When viewed on certain mobile Apple devices you will see www.apple.com in the address bar, but see my blog's content instead of Apple's website.

An attacker can use a URL shorting service like bit.ly:

http://bit.ly/114E7Q5

The XSS'ed site came from http://www.xssed.com/ !

If it is a phishing attack and the URL matters, then the attacker can URL-encode or UTF-8 encode key characters to obscure HTML tags. Most people disregard long urls anyway.

related: XSS filter Evasion Cheat Sheet.