Please have a look at the embed code at https://commons.wikimedia.org/wiki/File:Hh-strafjustizgebaeude-justitia.jpg#/media/File:Hh-strafjustizgebaeude-justitia.jpg. The links to German Wikipedia do not work, because the scheme ("http:") is missing. This makes reusers unable to embed this code easily, especially since this is a fairly subtle bug.
The html-embedding-code for this file from the MediaViewer is:
<p><a href="https://commons.wikimedia.org/wiki/File:Hh-strafjustizgebaeude-justitia.jpg#/media/File:Hh-strafjustizgebaeude-justitia.jpg"><img alt="Hh-strafjustizgebaeude-justitia.jpg" src="https://upload.wikimedia.org/wikipedia/commons/c/ce/Hh-strafjustizgebaeude-justitia.jpg" height="514" width="787"></a><br>Von <a href="de.wikipedia.org/wiki/Benutzer:Staro1" class="extiw" title="de:Benutzer:Staro1">Staro1</a> - Von <a href="de.wikipedia.org/wiki/Benutzer:Staro1" class="extiw" title="de:Benutzer:Staro1">Staro1</a> in deutschsprachige Wikipedia geladen., <a title="Creative Commons Attribution-Share Alike 3.0<p></p>" href="http://creativecommons.org/licenses/by-sa/3.0/">CC BY-SA 3.0</a>, https://commons.wikimedia.org/w/index.php?curid=2424938</p>
(right after "(...) Share Alike 3.0") breaks the visual, creating an eventual redundant, empty paragraph.
But, if you copy&pasted the code into a html-tester like http://www.w3schools.com/html/tryit.asp?filename=tryhtml_intro or http://www.play-hookey.com/htmltest/ it looks fine...
appears to be unrelated, as the code & links are working at above test pages.
Having protocol-relative links (starting with //) means that when the reader clicks them, whatever protocol they are using gets prepended. That's not ideal but should work as Commons is reachable through both protocols.
The <p></p> was provided by the template (fixed, although I am not sure why a single newline did that in the first place) but MV should sanitize it and use entities instead of <>.
FWIW, curid is the page id, not the revision id (which would be oldid), so it always links to the latest version of the page and is only used to make the URL shorter. Not sure if it makes sense to use it for HTML descriptions (it was mainly meant for plaintext which used to be horrendously long) but at least it should be linked.
The protocol-relative URLs are from markup like [[:de:Benutzer:Staro1|Staro1]] which the parser turns into <a href="//de.wikipedia.org/wiki/Benutzer:Staro1" class="extiw" title="de:Benutzer:Staro1">Staro1</a>. There are several ways to fix this:
- T42128: Add option for absolute URLs to action=parse
- custom logic for MediViewer (or to be more precise, CommonsMetadata) - to some extens this already happens, but trying to recognize Wikimedia URLs and making them absolute seems very impractical.
- T118413: Wikimedia wikis should use https:// in $wgServer
The last remaining issue with sanitization seems to be a jQuery bug:
var $x = $('<span><a href="http://example.com">x</a></span>'); $x.find('a').prop('title', 'a<p>b</p>c'); $x.html() // <a href="http://example.com" title="a<p>b</p>c">x</a>
Upstreamed as https://github.com/jquery/jquery/issues/3186