Download the PHP package b13/trusted-url-params without Composer

On this page you can find all versions of the php package b13/trusted-url-params. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package trusted-url-params

Trusted URL Params - A TYPO3 extension to generate safe URLs

This TYPO3 extension modifies the generation of links to TYPO3 pages to only include the current query parameters ($_GET) that have been resolved by TYPO3's Routing.

Background

TYPO3's typolink functionality is super-powerful but also drags a lot of history with it. Various issues have been addressed with TYPO3's Routing, which was introduced in TYPO3 v9.

However, one main issue still resolves: The usage of the option addQueryString of typolink. If used, the option adds any existing $_GET parameter to the generated URL and - in the worst case - generates a valid cHash for this link.

addQueryString allows to define an exclude list of GET parameters, however this issue can never be solved properly with an exclude list, but rather an allow-list. With TYPO3 v9, we already have an "allow list" of the current request - all GET parameters or arguments that have been found in the route path ("route arguments"). This is a much better way to generate the "addQueryString" logic than using the plain $_GET array.

Since TYPO3 v9, this issue has become more visible as the commonly used seo extension uses addQueryString to generate the canonical tag, or the language menu.

How we fixed it

This extension provides an XCLASS (as there is currently no alternative to hook into this place of link generation) and only takes safe query parameters from the current URL, and only for generated URLs that use the addQueryString flag.

When to use this extension

We recommend using this extension

Please read https://typo3.org/security/advisory/typo3-psa-2021-003 for more details.

TYPO3 v12

TYPO3 v12 finally enforces addQueryString to only allow "trusted" URL Parameters making this extension obsolete, however the extension continues to be compatible with TYPO3 v12 when extension use legacy functionality.

See https://review.typo3.org/c/Packages/TYPO3.CMS/+/75864 for the related core change.

Installation

Install this extension via composer req b13/trusted-url-params or download it from the TYPO3 Extension Repository and activate the extension in the Extension Manager of your TYPO3 installation.

Note: This extension is compatible with TYPO3 v9, v10 and v11.

Configuration

This extension provides safe URLs by default, and no further configuration is needed. However, custom TypoLink links can use the addQueryString.includeUntrusted = 1 property to also include URL parameters that are added as GET parameters (such as query strings from SolR).

Possible side effects

As we believe in the concept of an "allow list", we further want to extend this configuration to allow regular query parameters if configured in e.g. a site configuration to allow proper pagination links, which might be an issue.

Inspiration

Credits

This extension was created by Benni Mack in 2021 for b13 GmbH, Stuttgart.

Find more TYPO3 extensions we have developed that help us deliver value in client projects. As part of the way we work, we focus on testing and best practices to ensure long-term performance, reliability, and results in all our code.

All versions of trusted-url-params with dependencies

PHP Build Version
Package Version
Requires php Version ^7.2 || ^8.0
typo3/cms-core Version ^9.5.16 || ^10.0 || ^11.0 || ^12.0
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package b13/trusted-url-params contains the following files

Loading the files please wait ....