Last modified: 2014-08-12 18:58:09 UTC
http://en.wikipedia.org/wiki/MediaWiki:External_Image_Whitelist is currently empty; it's probably worth just turning off $wgEnableImageWhitelist in the enwiki configuration, unless someone has plans to allow external images. It seems that external images are just an opportunity for trouble.
http://en.wikipedia.org/wiki/Special:ApiSandbox#action=query&meta=siteinfo&format=json&siprop=general lets you verify that $wgEnableImageWhitelist is currently on.
I agree. It seems very odd this is enabled by default. I don't think it should be. For reference, first introduced in b3b81715 in 2008
I think the URL is supposed to be https://en.wikipedia.org/wiki/MediaWiki:External_image_whitelist
Only non-default versions of the message I could find were: * arwiki, barwiki, kowiktionary - just translated the comments * mediawikiwiki - "^https?://en\.wikipedia\.org/upload/b/bc/Wiki\.png$" * testwiki - "^https?://upload\.wikimedia\.org.+$" and "^https://.*\.creativecommons\.org/l/by/3.0/.+\.png$"
I'm taking the somewhat unusual move of switching this bug back to "unconfirmed" for now. There's currently no evidence of a problem to be solved here. Broadly, it may make sense to change the default (which would be a MediaWiki bug, not a Wikimedia bug), however, again, there would first have to be a demonstration of a problem. Any such demonstration would have to account for the fact that: * local administrators can edit site-wide JavaScript and insert raw HTML; * the external image whitelist is a relatively clean system for allowing external image sources; and * this feature has been enabled by default for about five years now without issue. https://git.wikimedia.org/commitdiff/mediawiki%2Fcore/b3b81715d54e55fee4e18fbba985e98c25d1866a (better link)
Note due to bug 51268, this setting is ignored for Parsoid/VE. Turning $wgEnableImageWhitelist off on production servers where it is unused helps to ensure VE behavior is consistent. I'm not actually suggesting that $wgEnableImageWhitelist be disabled in DefaultSettings.php (as suggested in comment 5). Just that it should be turned off in production for wikis which are not currently using that functionality.