PHPackages                             b13/trusted-url-params - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. b13/trusted-url-params

ActiveTypo3-cms-extension[Security](/categories/security)

b13/trusted-url-params
======================

TYPO3 Extension to ensure that only safe queryParams from TYPO3s Routing are added to generated links

1.2.0(3mo ago)8247.0k↓46.2%1[2 issues](https://github.com/b13/trusted-url-params/issues)GPL-2.0-or-laterPHPPHP ^7.2 || ^8.0

Since Aug 26Pushed 3mo ago7 watchersCompare

[ Source](https://github.com/b13/trusted-url-params)[ Packagist](https://packagist.org/packages/b13/trusted-url-params)[ RSS](/packages/b13-trusted-url-params/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (1)Dependencies (2)Versions (7)Used By (0)

Trusted URL Params - A TYPO3 extension to generate safe URLs
============================================================

[](#trusted-url-params---a-typo3-extension-to-generate-safe-urls)

This TYPO3 extension modifies the generation of links to TYPO3 pages to only include the current query parameters (`$_GET`) that have been resolved by TYPO3's Routing.

Background
----------

[](#background)

TYPO3's `typolink` functionality is super-powerful but also drags a lot of history with it. Various issues have been addressed with TYPO3's Routing, which was introduced in TYPO3 v9.

However, one main issue still resolves: The usage of the option `addQueryString` of `typolink`. If used, the option adds *any* existing `$_GET` parameter to the generated URL and - in the worst case - generates a valid cHash for this link.

`addQueryString` allows to define an exclude list of GET parameters, however this issue can never be solved properly with an exclude list, but rather an allow-list. With TYPO3 v9, we already have an "allow list" of the current request - all GET parameters or arguments that have been found in the route path ("route arguments"). This is a much better way to generate the "addQueryString" logic than using the plain `$_GET` array.

Since TYPO3 v9, this issue has become more visible as the commonly used `seo` extension uses `addQueryString` to generate the canonical tag, or the language menu.

How we fixed it
---------------

[](#how-we-fixed-it)

This extension provides an XCLASS (as there is currently no alternative to hook into this place of link generation) and only takes safe query parameters from the current URL, and only for generated URLs that use the `addQueryString`flag.

When to use this extension
--------------------------

[](#when-to-use-this-extension)

We recommend using this extension

- if you have trouble with SEO campaigns and an invalid canonical tag
- or if (valid) bots taking crazy links and fill your cache backends or eat up your server resources
- and if you know you don't misuse "addQueryString" in any other places such as your own TypoScript or third-party extensions

Please read  for more details.

TYPO3 v12
---------

[](#typo3-v12)

TYPO3 v12 finally enforces addQueryString to only allow "trusted" URL Parameters making this extension obsolete, however the extension continues to be compatible with TYPO3 v12 when extension use legacy functionality.

See  for the related core change.

Installation
------------

[](#installation)

Install this extension via `composer req b13/trusted-url-params` or download it from the [TYPO3 Extension Repository](https://extensions.typo3.org/extension/trusted_url_params/) and activate the extension in the Extension Manager of your TYPO3 installation.

Note: This extension is compatible with TYPO3 v9, v10 and v11.

Configuration
-------------

[](#configuration)

This extension provides safe URLs by default, and no further configuration is needed. However, custom TypoLink links can use the `addQueryString.includeUntrusted = 1` property to also include URL parameters that are added as GET parameters (such as query strings from SolR).

### Possible side effects

[](#possible-side-effects)

As we believe in the concept of an "allow list", we further want to extend this configuration to allow regular query parameters if configured in e.g. a site configuration to allow proper pagination links, which might be an issue.

Inspiration
-----------

[](#inspiration)

- TYPO3 Core v9 Routing (Thanks to Oliver Hader and Benni Mack)
- Helmut Hummel (original idea on how to solve it "the core way")
- Extension ["urlguard"](https://github.com/sourcebroker/urlguard) (Thanks to Krystian Szymukowicz from SourceBroker)
- Extension ["urlguard2"](https://github.com/studiomitte/urlguard2) (Thanks to Georg Ringer from Studio Mitte)
- Extension ["seo-canonical-guard"](https://github.com/wazum/seo-canonical-guard)

Credits
-------

[](#credits)

This extension was created by Benni Mack in 2021 for [b13 GmbH, Stuttgart](https://b13.com).

[Find more TYPO3 extensions we have developed](https://b13.com/useful-typo3-extensions-from-b13-to-you) that help us deliver value in client projects. As part of the way we work, we focus on testing and best practices to ensure long-term performance, reliability, and results in all our code.

###  Health Score

51

—

FairBetter than 95% of packages

Maintenance75

Regular maintenance activity

Popularity39

Limited adoption so far

Community13

Small or concentrated contributor base

Maturity61

Established project with proven stability

 Bus Factor1

Top contributor holds 83.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~534 days

Total

4

Last Release

103d ago

Major Versions

1.1.0 → v13.x-dev2025-11-17

PHP version history (2 changes)1.0.0PHP ^7.2 || ~8.0

1.1.0PHP ^7.2 || ^8.0

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/165630?v=4)[Benni Mack](/maintainers/bmack)[@bmack](https://github.com/bmack)

---

Top Contributors

[![bmack](https://avatars.githubusercontent.com/u/165630?v=4)](https://github.com/bmack "bmack (10 commits)")[![davidsteeb](https://avatars.githubusercontent.com/u/3862523?v=4)](https://github.com/davidsteeb "davidsteeb (2 commits)")

### Embed Badge

![Health badge](/badges/b13-trusted-url-params/health.svg)

```
[![Health](https://phpackages.com/badges/b13-trusted-url-params/health.svg)](https://phpackages.com/packages/b13-trusted-url-params)
```

###  Alternatives

[friendsoftypo3/content-blocks

TYPO3 CMS Content Blocks - Content Types API | Define reusable components via YAML

103519.9k53](/packages/friendsoftypo3-content-blocks)[netresearch/rte-ckeditor-image

Image support in CKEditor for the TYPO3 ecosystem - by Netresearch

611.1M8](/packages/netresearch-rte-ckeditor-image)[wazum/sluggi

TYPO3 extension for URL slug management with inline editing, auto-sync, locking, access control, and redirects

40529.5k](/packages/wazum-sluggi)[leuchtfeuer/secure-downloads

"Secure Download": Apply TYPO3 access rights to ALL file assets (PDFs, TGZs or JPGs etc. - configurable) - protect them from direct access.

23255.5k1](/packages/leuchtfeuer-secure-downloads)[causal/fal-protect

Protect everything within /fileadmin/ based on associated folder and file restrictions (visibility, user groups and dates of publication).

1277.1k](/packages/causal-fal-protect)[b13/assetcollector

Asset collector - Add CSS and SVG files and strings as inline style tag/inline svg to the html code.

10125.6k](/packages/b13-assetcollector)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
