Support

I will take a guess as to what is going on, based on experience, since I don't have the URL that got blocked. Go to Components, Admin Tools, Web Application Firewall, Configure WAF and set "Block template=foo site template switch" to No.

Can I please have the exact URL that gets blocked?

For what it's worth, I believe that indeed you need to change the list of allowed tmpl= keywords but what you have entered seems random and out of place. The tmpl keyword will appear in the exact URL that gets blocked and I am pretty sure it's neither acym nor com_acym. It could also be something else. So I really need that URL to tell you exactly what it is.

OK, here's another way to go about it. After having that URL blocked go to Admin Tools, Web Application Firewall, Blocked Requests Log. Look for the entry with the component/acym/archive URL. Can you please tell me what the Reason listed there is?

I downloaded AcyMailing and took a look at its code. There is a bug in administrator/components/com_acym/libraries/joomla/form.php line 30, in the acym_noTemplate() method.  The 'none' in there should probably be 'raw' because there is no such thing as tmpl=none in Joomla but there is tmpl=raw. Not by explicit code but by custom. The reason dates back to Joomla 1.0 but that's besides the point.

The difference between tmpl=component and tmpl=raw is subtle. tmpl=component doesn't render the template's page chrome but it loads its CSS (it goes through the component.php file of the template) whereas tmpl=raw does not go through the template at all.

In Joomla 3 an unknown tmpl keyword acts as though tmpl=raw was used. In Joomla 4 any unknown tmpl keyword, included "none", throws an error. Moreover, Joomla 4 removed tmpl=raw and treats it as though no tmpl parameter was passed, i.e. everything is rendered through the site's template.

The reason Admin Tools blocks unknown tmpl keywords is that if they are not handled by a system plugin they can cause Joomla to load an arbitrary PHP file from the main directory of the template. Reducing the attack surface area to the default values shipped with Admin Tools mitigates the risk. 'component' has special meanings in templates, 'system' is caught by Joomla, 'raw' is the customary absolutely-no-template value and 'koowa' is a special value used by the Nooku Framework. None of these will cause a security issue on Joomla 3.

Can you please contact AcyMailing authors and let them know? I can't find their contact information. If they need to write back to me they can email me at nicholas at our site's domain name. I will be happy to help them understand this better if they need to.

In any case, you can tell Admin Tools to ignore AcyMailing's bug. Go to Components, Admin Tools, Web Application Firewall, Configure WAF and add none at the end of the comma-separated  “List of allowed tmpl= keywords”. So, the entire thing would now read:

component,system,raw,koowa,none

I hope that helps.

You did not do what I told you to do. You did something different.

Go to Components, Admin Tools, Web Application Firewall, Configure WAF and set the “List of allowed tmpl= keywords” to exactly the followin

component,system,raw,koowa,none

Do not add a trailing comma, do not add random and useless things I did not tell you to put there. If this still doesn't work for you I can make the ticket private so I can take a look at your site.