Last modified: 2012-12-12 13:39:05 UTC
If the user adds for example {{IMDb|124|Foo}} or {{IPcheck|127.0.0.1}} in the English Wikipedia, he has to solve a Captcha, because the templates link to imdb.com, dnsstuff.com and so on. This is both annoying and confusing, because the user does not add an external link, the template does. The obvious solution would be not to display a Captcha if the url is provided by the template, not the user. However, clever spammers could do the following: 1. Create template "evilLink" with external link. Solve a Captcha to do so. 2. Transclude template "evilLink" into 1000 pages without having to solve a Captcha. 3. ??? 4. Profit! The alternative would be, to use MediaWiki:Captcha-addurl-whitelist, however few sysops even notice, that there are Captchas (Admins don't have to solve them, so they are not aware of the problem). But perhaps, there is another way. If FlaggedRevs are active on a wiki, it would be possible to allow only external links of flagged templates without a Captcha. If FlaggedRevs are missing, it would be possible to allow external links that have been in a template for a while (this would slow down spammers).
I don't think there's really a good way to do this at present -- there's no good way to tell "where" the URL came from. In the examples you give, the URL "comes from" both places -- it's formed from a combination of something in the template and something in the template parameters.
(In reply to comment #0) > If the user adds for example {{IMDb|124|Foo}} or {{IPcheck|127.0.0.1}} in the > English Wikipedia, he has to solve a Captcha, because the templates link to > imdb.com, dnsstuff.com and so on. > This is both annoying and confusing, because the user does not add an external > link, the template does. That counts as adding a link. I'm unclear why we would want to change this behaviour. > The obvious solution would be not to display a Captcha if the url is provided > by the template, not the user. However, clever spammers could do the following: > 1. Create template "evilLink" with external link. Solve a Captcha to do so. > 2. Transclude template "evilLink" into 1000 pages without having to solve a > Captcha. > 3. ??? > 4. Profit! That situation is exactly why it works this way. It's not outlandish at all. > The alternative would be, to use MediaWiki:Captcha-addurl-whitelist, however > few sysops even notice, that there are Captchas (Admins don't have to solve > them, so they are not aware of the problem). Of course, the whitelist should be used - that's what it's for! I imagine the same team who handle the spam black/whitelist would also handle requests for additions to that whitelist. Recommend WONTFIX.
From the developers point of view, it might be difficult or even impossible to fix with the current design. However, from the users point of view, this is totally confusing. I recommend to at least change the system message to something that explains the problem.
[Removing RESOLVED LATER as discussed in http://lists.wikimedia.org/pipermail/wikitech-l/2012-November/064240.html . Reopening and setting priority to "Lowest". For future reference, please use either RESOLVED WONTFIX (for issues that will not be fixed), or simply set lowest priority. Thanks a lot!]
