Support

Admin Tools

#36372 Issue with tmpl= in URL block

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by jfquestiaux on Friday, 07 January 2022 07:51 CST

Wednesday, 05 January 2022 13:05 CST

jfquestiaux

Hi. I have an issue I can't resolve.

I have an Joomla! article displaying a Fabrik list (Fabrik is a component - https://fabrikar.com/). When I filter the list, I get a 403 error with the reason "tmpl in URL".
However, there is no "tmpl=" in the query or the URL which is like this:

https://www.XXX.fr/tableau-de-bord?clearfilters=0&clearordering=0&resetfilters=0

 

Without the URL rewriting, the URL is 

https://www.XXX.fr/index.php?option=com_content&view=article&id=2&Itemid=130&resetfilters=0&clearordering=0&clearfilters=0

 

Note that I don't have this issue if I access the list directly (via a menu item to the Fabrik component), only when the list is embedded in an article (via a content plugin).

I added com_content, article and the different query parameters in the WAF exception, as well as com_fabrik, list and the same parameters, but that does not solve the issue.

I also added "resetfilters,clearordering,clearfilters" to the list of allowed tmpl, but with no more luck.

The only thing that works is to turn off "Block tmpl=foo system template switch", but I would prefer to have a safer solution. Do you think it's possible?

Kind regards and Happy New Year.

Joomla! Web Agency : Better Web
SEO, performances improvements, custom web applications, AMP pages, migrations,...

Thursday, 06 January 2022 06:13 CST

nicholas

Most likely this URL redirect you to a different URL that has the tmpl=something parameter in it.

If that's not the case, the menu item tableau-de-bord sets up the tmpl=something; you can view that by editing the menu item and looking at the URL displayed in the uneditable Link field.

Also note that the URL of the page is not the only thing that is being loaded. Fabrik could be doing an AJAX request (XHR), something you can see in your browser's developer tools under the Network tab.

Either way, you can find out what is the tmpl value Fabrik is using and add it to the comma-separated list of allowed tmpl parameters in the Configure WAF page. The changes you already made do not make any sense, none of these is a value of the tmpl query string parameter.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 07 January 2022 07:51 CST

jfquestiaux

Thanks, your comments were valuable hints.

There is an Ajax request, still with no "tmpl=" mention in it, but it calls to something where there is a reference to the internal Fabrik templating, so you need to add the name of the template used in the list of allowed tmpl and now ti's working, with the protection ON.

Joomla! Web Agency : Better Web
SEO, performances improvements, custom web applications, AMP pages, migrations,...

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!