Page MenuHomePhabricator

Prevent content injection (blacklisted URL) through Wikidata
Open, Needs TriagePublicFeature


Feature summary :
Even if an URL is blacklisted on Extension:Spam-blacklist (IG : [[fr:MediaWiki:Spam-blacklist]]), Wikidata seems to be a way of injecting it through a local Module (IG. [[fr:Module:Wikidata]]). Isn't it?

Instead of handling the no injection policy in Modules, is that possible to prevent RL injection through Wikidata if the URL is locally blacklisted ?

Event Timeline

I'm the one who raised this problem on

I'd like to add add that if a link is blacklisted, it cannot be added to an article, and if it is used as a reference on WikiData, an infobox displaying it cannot be added to an article as well.

But if an infobox is already in the article, and the blacklisted link is added after on WikiData, then it will appear on Wikipedia even if it is in the blacklist.

Tacsipacsi subscribed.

The module reads data, not wikitext, it’s free to do with it whatever it wants, and I don’t think this should be changed (e.g. by doing as if the statement wasn’t there). However, SpamBlacklist could provide a Lua interface to determine whether a link is blacklisted that considers everything SpamBlacklist uses (local blacklist, global blacklist, local whitelist). And AbuseFilter another one that considers MediaWiki:BlockedExternalDomains.json / Special:BlockedExternalDomains, because that ended up in the AbuseFilter extension (T337431). 🙁

Based on the result of these filters, it would be up to the module to do something, for example:

  • Suppress the link without any traces
  • Suppress the link and show instead a notice to the reader about this fact
  • Show the URL delinked

In addition to any solution, it could also add a tracking category.