"L" parameter not excluded in TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation
Let's say someone calls a page with a bad "L" parameter like index.php?id=1&L=bad-value. With the TypoScript config.linkVars = L(0-2) this value is not valid and get's not added to links created on that page. Except there is a typolink with addQueryString set and not addQueryString.exclude = L
When config.prefixLocalAnchors = all is set the method TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation is called. In this method there is no way to add the "L" parameter to the excluded parameters (addQueryString.exclude) if it has a invalid value. This is because the "L" parameter is invalid due to config.linkVars = L(0-2). Therefore $GLOBALS['TSFE']->linkVars is empty which leads to not having the "L" parameter excluded although it has to. So when the current URL get's a bad "L" parameter added, a link is generated with a bad "L" parameter.
This might open security holes and can lead to conflicts with extensions like realurl.
Additionally I wonder if it's necessary to not exclude the L parameter for every addQueryString after all. Users should have configured config.linkVars correctly for multi language sites. With that TYPO3 takes care of adding the "L" parameter itself when valid.
#2 Updated by Riccardo De Contardi about 1 year ago
- Status changed from Needs Feedback to Closed
No feedback since 90+ days => closing this issue.
If you think that this is the wrong decision or experience the issue again and have more information about how to reproduce your problem on recent TYPO3 versions like 9.5.x or the latest Master, please reopen it or open a new issue with a reference to this one.
Thank you and best regards