Support

Something does not add up. You say that you get a “Suspicious Core Parameter” block. This means that the tmpl request parameter's value (or another one of the request parameters' value – I cannot know because you never gave me the actual URL) has invalid characters.

If you have exactly tmpl=template there is no invalid character in the value, since Joomla! expects it to conform to the CMD filter (allowed characters are lower- and upper-case A to Z without accents or diacritics, numbers 0 to 9, dot, dash, and underscore). If, however, you have accidentally left a space before or after the value such as tmpl=◼️template or tmpl=template◼️ (I used ◼️ to denote the space) then the value no longer conforms to the CMD filter and triggers the Suspicious Core Parameter blocking rule.

If you do not have spaces around template then I need to see the actual, full URL (without the domain name) to tell you what is wrong with it.

You are misunderstanding how URLs work. Let's take this URL here:

index.php?option=com_content&view=article&id=135&catid=2&lang=en-GB?ml=0&tmpl=template

The FIRST question mark – and ONLY that – separates the URL path from the URL query. Therefore the URL path is index.php and the URL query is option=com_content&view=article&id=135&catid=2&lang=en-GB?ml=0&tmpl=template

Let's break the URL query down into parameters and their values, remembering that URL parameter names are on the left of the equals sign, values are on the right hand side of the equals sign, and that key-value pairs are separated by ampersands (&), NOT BY QUESTION MARKS:

• option=com_content
• view=article
• id=135
• catid=2
• lang=en-GB?ml=0
• tmpl=template

Do you see the problem? It's in the lang parameter which I marked with red for you. Its value IS NOT en-GB as you mistakenly think. It is en-GB?ml=0. The lang parameter must also conform to the CMD filter which, as a reminder from our previous conversation, consists of lower- and upper-case characters a-z without accents or diacritics, numbers 0-9, dashes, underscores, and dots.

Since the actual value, which I remind you is en-GB?ml=0, has a question mark and an equals sign it is invalid. These characters do not conform to the CMD filter.

Therefore, Admin Tools is correct in blocking this request.

And yes, the Block Suspicious Core Parameters feature was only added in the last update which is why you only now see it. However, this does not change the fact that the URL was broken before and did not work the way you thought it does.

The question is, what kind of broken software generated this very broken URL? I can tell you it is neither Joomla! itself, nor any of our software. This smells of the work of an amateur, who took the current URL and naïvely appended ?ml=0&tmpl=template to it because they only ever tested their software on sites with SEF URLs enabled, and with page URLs which never had any URL parameters appended to them. Understandable rookie mistake, but this approach will never work right.

The proper way to do it is parse the current URL using Joomla\Uri\Uri, e.g.

$uri = clone \Joomla\CMS\Uri\Uri::getInstance();
$uri->setVar('ml', 0);
$uri->setVar('tmpl', 'template');
$correctUrl = $uri->toString();

That's the correct way to do it. Another working variant (which I've done when using Uri is too computationally expensive) is to check for the existence of a question mark, e.g.

$correctURL = \Joomla\CMS\Uri\Uri::getCurrent();
$correctURL .= (str_contains($correctURL, '?') ? '&' : '?') . 'ml=0&tmpl=template';

The latter method also works in client-side (JavaScript) code, which is something I have definitely done before as I didn't want to go through the server.

Find the problem software and contact its developer with the information I included in this reply so they can fix their software. Ignoring problems is not the right way to go about it. Problems must be fixed at their root.

This line is the culprit:

var modifiedLink = link + '?ml=0&tmpl=template';

This only works if the variable link contains a link without parameters. Otherwise, it results to two question marks with all the problems this entails. The correct line would be:

var modifiedLink = link + (link.indexOf('?') === -1 ? '?' : '&') + 'ml=0&tmpl=template';

This does what I described in my previous post. If the link does not have URL parameters (therefore, there is no question mark in it) append a question mark before the custom parameters, otherwise append an ampersand before the custom parameters. It's not 100% bulletproof, but it works on virtually all practical use cases.