Skip to content

Helix Ultimate J3 Security Fixes v1.0.0

Choose a tag to compare

@siddik-web siddik-web released this 15 Jul 09:47

Version 1.0.0 fixes (Helix baseline 2.1.4-j3sec)

  • [HU-SEC-001] Open redirect protection for helixreturn admin login flow
  • [HU-SEC-002] Central CSRF + ACL enforcement for Helix AJAX actions
  • [HU-SEC-003] Path traversal protection for layout builder and media paths
  • [HU-SEC-004] Upload hardening (extension allowlist, safe filenames, path confinement)
  • [HU-SEC-005] XSS sanitization for blog embeds and admin HTML output
  • [HU-SEC-006] Frontend article attribs merge allowlist; export ACL; no raw $_POST
  • [HU-SEC-007] Mega menu settings sanitization and escaped menu output

Supported environment

Component Version
Joomla 3.10.x
Helix plugin 2.1.0 – 2.1.3 (patched to 2.1.4-j3sec)
Template shaper_helixultimate 2.1.x
PHP 7.2.5 – 8.0 (recommended 7.4 or 8.0)

Per Joomla 3 technical requirements.

Backup first

Always test on staging first.

  • Custom mega menu HTML or badge text may be stripped by sanitizers
  • Blog audio/video embeds are filtered to an allowlist of safe tags
  • Template overrides in templates/shaper_helixultimate/html/ are not modified

Install

  1. Backup site files and database
  2. Joomla Administrator → System → Install → Extensions
  3. Upload helixultimate_j3_security_fixes_v1.0.0.zip
  4. Confirm success message; package removes itself automatically
  5. Audit log written to administrator/logs/helix_j3_security_applied.json