Support

You cannot add an exception to this feature, nor should you ever need to. The whole point of this feature is to prevent a whole class of rather sinister attacks which you'd open yourself to if you were to add an exception. Either adding an exception or disabling the feature altogether has the same result as far as security is concerned.

In fact, the URL you pasted shows that this is a glaring oversight in PageBuilder. Actually, two glaring oversights.

First, the return URL should never, EVER, be sent as a raw URL. Joomla is doing the right thing since 2007, sending return URLs as base64 encoded strings. Moreover, the encoded return URL should be relative, not absolute. This is not pedantic talk. There are real world security concerns by allowing full URLs the script will redirect to. So this is the first bug report you should file with Yoo.

The second problem is that they pass a full URL in the site parameter which is part of the return URL. Everything I described before applies here as well.

The correct solution is to file these bugs with Yoo and ask them to fix them. In the meantime you have to disable the "Protect against common file injection attacks" feature.

If you ask me, I would refrain from using an extension whose developers don't seem to understand the fundamentals of security. I don't say this lightly. For the last 10 years YooTheme has been a repeat offender with all of their extensions and templates, refusing to fix their issues. I understand why people use their software but I can not in good conscience, as someone you trust with your site security, condone their actions or recommend continuing using their software. Ultimately, it's your choice. You get to decide the level of acceptable risk.

Feel free to ask them to change this.

Even if the issue "only" appears in the backend it's not in any way any less dangerous. In fact, that's exactly what attackers would target in a spear phishing campaign. They'd try to trick you into clicking a link whose address is on your site but which redirects you to their malicious site. A simple attack would be pretending to be a Joomla login page which would mislead you into thinking you got logged out of the site and you'd try to log back in (only for your credentials to be sent to the attacker). And that's just the simplest, most obvious attack mode.

No problem. I didn't mean to be a pedant, I want to explain the security considerations behind me saying "no" to what on first blush is a reasonable feature request :)