Admin Tools

#40048 Some links are blocked - Suspicious Core Parameter (Cloaking?)

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
PHP version
Admin Tools version

Latest post by nicholas on Friday, 29 December 2023 05:50 CST



First of all. Thank you for your amazing tools.

Please, I have a question that is important for the running of my website.

After updating to the new version of Admin Tools for Joomla, some links are blocked (as Suspicious Core Parameter) and pop up error 403.

For these links on my site, I intentionally use a template in the URL to turn off parts of the template: ?ml=0&tmpl=template

I tried in configure WAF / cloaking / List of allowed tmpl= keywords
List the keywords associated with "?ml=0&tmpl=template", but still the links don't work.

How can I make this work again please? 

Thank you!




picture again

Akeeba Staff

Something does not add up. You say that you get a “Suspicious Core Parameter” block. This means that the tmpl request parameter's value (or another one of the request parameters' value – I cannot know because you never gave me the actual URL) has invalid characters.

If you have exactly tmpl=template there is no invalid character in the value, since Joomla! expects it to conform to the CMD filter (allowed characters are lower- and upper-case A to Z without accents or diacritics, numbers 0 to 9, dot, dash, and underscore). If, however, you have accidentally left a space before or after the value such as tmpl=◼️template or tmpl=template◼️ (I used ◼️ to denote the space) then the value no longer conforms to the CMD filter and triggers the Suspicious Core Parameter blocking rule.

If you do not have spaces around template then I need to see the actual, full URL (without the domain name) to tell you what is wrong with it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


Hello Nicholas,

thank you for fast reply. 
I've been troubleshooting this problem for a while and now I know what's causing it:

This is what a (broken) link that is blocked by Admintools looks like:


This is what a working link that is not blocked looks like:


The problem is caused by chaining information in the URL / link, when joomla added information about the language mutation.


Interestingly, in this case there is no blocking and it also works :


But for my purposes, this link is only functional :


Anyway, something must have changed within admintools? Because the link blocking started to happen after the last update?
Before that the links were working?

Akeeba Staff

You are misunderstanding how URLs work. Let's take this URL here:


The FIRST question mark – and ONLY that – separates the URL path from the URL query. Therefore the URL path is index.php and the URL query is option=com_content&view=article&id=135&catid=2&lang=en-GB?ml=0&tmpl=template

Let's break the URL query down into parameters and their values, remembering that URL parameter names are on the left of the equals sign, values are on the right hand side of the equals sign, and that key-value pairs are separated by ampersands (&), NOT BY QUESTION MARKS:

  • option=com_content
  • view=article
  • id=135
  • catid=2
  • lang=en-GB?ml=0
  • tmpl=template

Do you see the problem? It's in the lang parameter which I marked with red for you. Its value IS NOT en-GB as you mistakenly think. It is en-GB?ml=0. The lang parameter must also conform to the CMD filter which, as a reminder from our previous conversation, consists of lower- and upper-case characters a-z without accents or diacritics, numbers 0-9, dashes, underscores, and dots.

Since the actual value, which I remind you is en-GB?ml=0, has a question mark and an equals sign it is invalid. These characters do not conform to the CMD filter.

Therefore, Admin Tools is correct in blocking this request.

And yes, the Block Suspicious Core Parameters feature was only added in the last update which is why you only now see it. However, this does not change the fact that the URL was broken before and did not work the way you thought it does.

The question is, what kind of broken software generated this very broken URL? I can tell you it is neither Joomla! itself, nor any of our software. This smells of the work of an amateur, who took the current URL and naïvely appended ?ml=0&tmpl=template to it because they only ever tested their software on sites with SEF URLs enabled, and with page URLs which never had any URL parameters appended to them. Understandable rookie mistake, but this approach will never work right.

The proper way to do it is parse the current URL using Joomla\Uri\Uri, e.g.

$uri = clone \Joomla\CMS\Uri\Uri::getInstance();
$uri->setVar('ml', 0);
$uri->setVar('tmpl', 'template');
$correctUrl = $uri->toString();

That's the correct way to do it. Another working variant (which I've done when using Uri is too computationally expensive) is to check for the existence of a question mark, e.g.

$correctURL = \Joomla\CMS\Uri\Uri::getCurrent();
$correctURL .= (str_contains($correctURL, '?') ? '&' : '?') . 'ml=0&tmpl=template';

The latter method also works in client-side (JavaScript) code, which is something I have definitely done before as I didn't want to go through the server.

Find the problem software and contact its developer with the information I included in this reply so they can fix their software. Ignoring problems is not the right way to go about it. Problems must be fixed at their root.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


Hello, Nicholas,

Thank you for your very comprehensive and clear answer.
You've described it in perfect detail. It is now clear.

I understand.
The "lang=en-GB" was not separate, but was incorrectly appended with the parameter ?ml=0.
I had overlooked that.

Otherwise, the string to turn off temlate, which is added to links by this method, works correctly.
(Advice from YOOTHEME support for adding custom code)

(function($) {
$(document).ready(function() {
$('.notemplate a').each(function() {
var link = $(this).attr('href');
var modifiedLink = link + '?ml=0&tmpl=template';
$(this).attr('href', modifiedLink);

Thanks for the explanation and help even like this between Christmas holidays.

Good luck in continuing to create very useful tools in 2024!

Akeeba Staff

This line is the culprit:

var modifiedLink = link + '?ml=0&tmpl=template';

This only works if the variable link contains a link without parameters. Otherwise, it results to two question marks with all the problems this entails. The correct line would be:

var modifiedLink = link + (link.indexOf('?') === -1 ? '?' : '&') + 'ml=0&tmpl=template';

This does what I described in my previous post. If the link does not have URL parameters (therefore, there is no question mark in it) append a question mark before the custom parameters, otherwise append an ampersand before the custom parameters. It's not 100% bulletproof, but it works on virtually all practical use cases.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!