It's possible to spoof URL with document.write within OnClick method for <a> tag.
vulners.com/securityvulns/securityvulns:doc:9989