Fulvio,
Don't get me wrong, I think the information you are providing is important. But I think your are missing the point of our responses: the spoofing test isn't succeeding for K-Meleon. The address in the address bar doesn't look like:
http://www.paypal.com/
and the status bar shows:
http://www.payp?l.com/
Now it does bother me that the "View Link URL" is showing some sort of character or characters and not the question mark that the status bar shows to indicate something funny's going on, and as a precaution I think I am going to implement the fix you suggest.
But the fact is, the exploit as presented doesn't work on K-Meleon.