tl;dr: URLs with all periods prepended by a zero-width space evade Twitter DM malware detection, but are still recognized (and clickable) by Chrome, Firefox, Safari, and Twitter's own client.

    javascript:prompt(0,location.href.replace(/\./g,"\u200b."))._