Certain DataValues use URIs internally, and we are slowly introducing more of these cases:
- Calendar models in time values.
- Globes in coordinates.
- Units in quantities.
In all these cases our current validators allow everything, as long as the URL starts with http or https and doesn't exceed 255 characters. The relevant code can be seen in Wikibase\Repo\ValidatorBuilders.
In all these cases I suggest to:
- Disallow http://wikidata.org with the "www" missing.
- Disallow http://www.wikidata.org/wiki/ with "wiki" instead of "entity". Moreover, disallow every wikidata.org URI but canonical /entity/ URIs.
- Disallow every entity type but Items.