TYPO3 Core

Let's say someone calls a page with a bad "L" parameter like index.php?id=1&L=bad-value. With the TypoScript config.linkVars = L(0-2) this value is not valid and get's not added to links created on that page. Except there is a typolink with addQueryString set and not addQueryString.exclude = L

When config.prefixLocalAnchors = all is set the method TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation is called. In this method there is no way to add the "L" parameter to the excluded parameters (addQueryString.exclude) if it has a invalid value. This is because the "L" parameter is invalid due to config.linkVars = L(0-2). Therefore $GLOBALS['TSFE']->linkVars is empty which leads to not having the "L" parameter excluded although it has to. So when the current URL get's a bad "L" parameter added, a link is generated with a bad "L" parameter.

This might open security holes and can lead to conflicts with extensions like realurl.

Additionally I wonder if it's necessary to not exclude the L parameter for every addQueryString after all. Users should have configured config.linkVars correctly for multi language sites. With that TYPO3 takes care of adding the "L" parameter itself when valid.