Last modified: 2012-02-24 01:50:23 UTC
External links inside of files ([[File:...|link=http://...]]) have a high potenital of abuse, as the link itself is only shown in the browser's link-preview. If a transparent picture is used and positioned absolute, every click on the whole page would lead to the possible malicious link. This happened in dewiki today: http://de.wikipedia.org/w/index.php?diff=prev&oldid=99889277 (Hidden by an admin) Additionally, in contrast to normal links, where the reader knows, that it is an external link, most users of Wikipedia click on an image to get to the description page and aren't expecting to end on an external page. So in my opinion this feature should be removed. If you need an external link on a file, it should be enough to put it in the caption.
Every feature can be abused in one or another way. Do you have an evidence that this is a widepread problem?
Not yet a widespread problem, but a serious security flaw, which should be solved before it becomes a widespread problem.
the {{click}} templates and ImageMap extension have the same 'problem'. It has always existed, it's just that it seems some nutjob has been using this a lot recently on wikipedia. en.wp has an editfilter for it at least. Removing external links from images would break some things I suspect, but I have no idea of the exact impact.
Editfilter is a short term solution but I think this should be addressed in the long run (also for imagemaps). Some links will be broken if this is changed, but as most page that are likely to be a link target are also availible via the interwiki map (https://meta.wikimedia.org/wiki/Interwiki_map), this shouldn't be much of an issue.
This feels like a WONTFIX to me. External links on images are very handy for, say, download links, tools, links to other wiki sites, etc.
The problem here is not that much the external link on a picture, but the possibility to create a transparent overlay link.
Abuse of markup is always possible; that's why we have review and revert abilities. What's at issue is not this feature, but ability to use a large portion of CSS to position things. That's not likely to go away any time soon either, as all sorts of positioning hacks are used for maps and things legitimately.
This is obviosly WONTFIX, positioning is needed. We can't prevent people from generating overlays, or we would have to disable much css which breaks everything. Also, the problem is not specific to image links. As far as we prevent xss attacks, there is no security issue. Malicous domains should get blacklisted, and both textual and image external links will respect that list.
