Project

General

Profile

Actions

Bug #87105

closed

Canonical - not "parameter-save"

Added by Christoph Werner about 5 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
SEO
Target version:
-
Start date:
2018-12-07
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Hi!

When no canonical is set manualy, the basic canonical is not save against parameters, so if you add ?foo=bar to the URL (or any other parameter) it is added to the canonical.
When you set the canonical manualy (i.e. the site itself), it works right: no parameter is added to the canonical.
Best
Christoph

PS: the hreflangtags are set and word correctly


Related issues 1 (0 open1 closed)

Is duplicate of TYPO3 Core - Bug #86865: Canonical tag for pages with extension records not correctClosed2018-11-06

Actions
Actions #1

Updated by Richard Haeser about 5 years ago

Thanks for your report. This is actually a duplicate issue of #86865. So I will close this one. Please follow the other issue. Already a pending patch for that.

Actions #2

Updated by Richard Haeser about 5 years ago

  • Is duplicate of Bug #86865: Canonical tag for pages with extension records not correct added
Actions #3

Updated by Richard Haeser about 5 years ago

  • Status changed from New to Closed
Actions #4

Updated by Robert Vock about 5 years ago

I do not think, this is a duplicate. I rather think, #86865 might have introduced this issue.

This bug says, that parameters are added to the canonical URL, which should NOT be added. If you have a page, which is not yet cached, and the first request adds some Query-Strings, these appear in the canonical URL.

Example: Request to www.example.de/?test=1 leads to this canonical URL:

<link rel="canonical" href="http://www.example.de/?test=1&amp;cHash=18700f90c42831de639122ac9306972d">

Then this page is written to the cache and the next visitor also gets this canonical URL, even though he requested the page without parameters.

I do not think, this is correct. This way even some random attacks can appear in the canonical URL. We recently had requests that looked like some kind of SQL injection:

http://www.example.de/?%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,
45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45)%20--%20%20/*

All pages which previously weren't cached, now were cached with this canonical URL:

<link rel="canonical" href="http://www.example.de/?%20UNION%20SELECT%20CHAR%2845%2C120%2C49%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C50%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C51%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C52%2C45%2C81%2C45%29%2CCHAR%2845%2C120%2C53%2C45%2C81%2C45%29%20--%20%20%2F%2A&amp;cHash=95ba3e44d81be05e0e48763d8c156b71">

Actions #5

Updated by Patrick Fiedorowicz about 5 years ago

Robert Vock wrote:

This bug says, that parameters are added to the canonical URL, which should NOT be added. If you have a page, which is not yet cached, and the first request adds some Query-Strings, these appear in the canonical URL.

Example: Request to www.example.de/?test=1 leads to this canonical URL:
[...]

This should not be possible because a request with params but without a cHash throws a fatal exception:
"Request parameters could not be validated (&cHash empty)"

Have you set [FE][pageNotFoundOnCHashError] to false to prevent this?

Actions #6

Updated by Robert Vock about 5 years ago

No. I only installed TYPO3 using the composer package "typo3/cms-base-distribution". Then I just run through the installation process and choose "Create empty starting page".

Then i request www.example.de/en/?test=1 and get a canonical URL with cHash

Actions #7

Updated by Peter Linzenkirchner over 4 years ago

Please reopen this bug - it is not fixed yet. I tried with TYPO3 9.5.10 and Introduction package:

[FE][pageNotFoundOnCHashError] = 1

Try:

<link rel="canonical" href="http://typo39lts.local/content-examples/text/rich-text?foo=bar&amp;cHash=b53b88bf0f73e07d8f41d0c1b9fda120"/>

that means the page is cached with wrong canonical.

Try again:

Result:

  • [FE][pageNotFoundOnCHashError] only throws an error when the value is wrong not when it is empty
  • the canonicals are broken.
Actions #8

Updated by Wolfgang Klinger over 4 years ago

As long as this is not fixed, you can use my extension here:
https://github.com/wazum/seo-canonical-guard

Actions #9

Updated by Lukas Hausammann over 1 year ago

It seems that this bug still exists in TYPO3 version 10 and 11. Is there anything new here, what does it take to finally solve this?

Fortunately, the extension "seo-canonical-guard" by Wolfgang Klinger still seems to work in TYPO3 version 10. I have not yet tried TYPO3 11.

Actions #10

Updated by Christoph Werner over 1 year ago

Lukas Hausammann wrote in #note-9:

It seems that this bug still exists in TYPO3 version 10 and 11. Is there anything new here, what does it take to finally solve this?

Fortunately, the extension "seo-canonical-guard" by Wolfgang Klinger still seems to work in TYPO3 version 10. I have not yet tried TYPO3 11.

Hi Lukas,

use https://extensions.typo3.org/extension/trusted_url_params für TYPO3 10/11
Final corefix should be implemented in Version 12.

Best,
Christoph

Actions

Also available in: Atom PDF