Seems like the "problem" here is that step 2 should have been prevented and wasn't, the rest of the user story is just wrappers. Possibly related to T37754

@Xaosflux I can't see T37754.

You're technically correct, but my example is very crude so it's not quite that easy to solve. For example, I could say:

<includeonly>https://www.{{#ifeq:{{PAGENAME}}|Dr. Evil/about||about}}.com/</includeonly>

Now the parser must walk down every possible path which would be way too expensive to do for every edit. Even if you did, it wouldn't be a problem at all. Just insert {{User:Dr. Evil/about|about}} on the pages you don't want people to edit and use:

<includeonly>https://www.{{{1}}}.com/</includeonly>

There would be no need for includeonly anymore actually..

To stop this, you need to parse all pages that transclude Dr. Evil's about page before saving the edit. This is not realistic.

A few solutions that might be considered:

• Ignore links that result from transclusion. (maybe difficult to detect?)
• When editing, ignore links that already exist on the page. If a page already includes a link to about.com don't stop people from editing it unless they add more links to blacklisted domains.
• Instead of blocking edits, turn them into pending changes.
• Never block edits, deal with this in the parser instead. Alter or remove blacklisted links while parsing. Alteration could include rewriting the link to encode it (so spam value becomes zero) and pass it as an argument to a redirection page which warns the user and requires the user to click a link to reach the destination.

https://en.wikipedia.org/wiki/MediaWiki_talk:Spam-blacklist#This_is_unreasonable by @jpxg caused me to stumble upon this.

And to clarify: the problem is not that I can spam. Of course I can spam, I'm Dr. Evil, but most spammers are mere mooks. The problem is that I can cause considerable disruption this way.

If the mere existence of a blacklisted link wouldn't prevent the page from being edited at all, this wouldn't be an issue.

Even transclusion is entirely optional:

https://www.{{#ifeq:{{#expr:{{#time:U}}<{{subst:#expr:{{subst:#time:U}}+5}}}}|0|about}}.com/

It works, I posted a link to trentfm.co.uk here which I otherwise couldn't do: https://commons.wikimedia.beta.wmflabs.org/wiki/User:AJ/move3

Regarding any severity, this doesn't stop the "page you don't want people to edit" to be editable (e.g. https://commons.wikimedia.beta.wmflabs.org/w/index.php?title=User:AJ/move3&action=history) - any more then if a page has a blacklist link on it and the domain is then normally added to the blacklist, you just have to remove the offending part during your edit.

See also T239327 , T17582

In T351124#9328947, @Xaosflux wrote:

Regarding any severity, this doesn't stop the "page you don't want people to edit" to be editable (e.g. https://commons.wikimedia.beta.wmflabs.org/w/index.php?title=User:AJ/move3&action=history) - any more then if a page has a blacklist link on it and the domain is then normally added to the blacklist, you just have to remove the offending part during your edit.

Of course, but that's also a problem, that's what https://en.wikipedia.org/wiki/MediaWiki_talk:Spam-blacklist#This_is_unreasonable complains about.

And the link can be obscured in a number of ways, making it more difficult to figure out where it even is.

If the issue is so urgent it must be resolved by the next person who edits the page, it should be resolved within the parser instead. If it's not that urgent (and.. it isn't), why should users who have no idea what to do be stopped from editing a page?

IMHO it's more productive to put pages with blacklisted links in a maintenance category and/or nerf the actual links when parsing.

@Xaosflux you should no longer be able to edit https://commons.wikimedia.beta.wmflabs.org/wiki/User:AJ/move3. (unless you blank it, but that's vandalism!) But anyone else still can, so if you ask for help people might accuse you of gaslighting them. And on a wiki with more traffic you'd have a very difficult time figuring out where that link came from, even as an experienced user.

We're lucky most vandals are idiots.

This would seem to, in general, militate against the wisdom of implementing a spam URL blacklist as a magical totem that prevents *anybody* (including EC, including TE, including sysops) from editing the page.

Do we have some problem where template editors are spamming references to best-free-viagra.biz?

In T351124#9329265, @jpxg wrote:

This would seem to, in general, militate against the wisdom of implementing a spam URL blacklist as a magical totem that prevents *anybody* (including EC, including TE, including sysops) from editing the page.

Do we have some problem where template editors are spamming references to best-free-viagra.biz?

The "sboverride" permission exists from T36928, by default it is assigned to bots

In T351124#9329265, @jpxg wrote:

This would seem to, in general, militate against the wisdom of implementing a spam URL blacklist as a magical totem that prevents *anybody* (including EC, including TE, including sysops) from editing the page.

Do we have some problem where template editors are spamming references to best-free-viagra.biz?

It's a rampant problem! Bloody template editors peddling their free viagra! :-(

Though youtu.be (blacklisted URL shortener) is probably more common. If admins or TE would be allowed to insert it they'll probably accidentally do just that. Which wouldn't be an issue.. if that wouldn't prevent any non-admin from editing the page from that moment forward until the shortener has been un-shortened.