Default URL should not be resolvable

[Keilaron]

As it is, if SYMFONY__ENV__DOMAIN_NAME is left unset (or apparently with whatever the issue is behind #236), the default is your-wallabag-url-instance dot com; Unfortunately this means that the moment you try to load the page cross-site scripting can happen, and at the moment this means you get whisked away to that URL immediately. Thankfully my content blockers prevented whatever's on that squatted domain from fully loading, but I consider this a danger.

The default URL should be something sane and secure, either one that cannot resolve (wallabag.wallabag.wallabag, or wallabag.lan, or..) or resolves to something inherently safe, such as wallabag.example.org.

This is especially true given the "just start it like this" examples make no mention of environment variables needing to be set, and the other variables are unnecessary for a basic SQLite setup!

[nicobo]

Cannot say better. The domain your-wallabag-url-instance dot com is actually registered so wallabag immediately redirects to it by default ! It's safe to use example.com or example.org : https://www.iana.org/domains/reserved

[Kdecherf]

The default URL has been changed for your-wallabag-instance.wallabag.org, closing this issue.