Helix Ultimate J3 Security Fixes v1.0.0
Version 1.0.0 fixes (Helix baseline 2.1.4-j3sec)
- [HU-SEC-001] Open redirect protection for
helixreturnadmin login flow - [HU-SEC-002] Central CSRF + ACL enforcement for Helix AJAX actions
- [HU-SEC-003] Path traversal protection for layout builder and media paths
- [HU-SEC-004] Upload hardening (extension allowlist, safe filenames, path confinement)
- [HU-SEC-005] XSS sanitization for blog embeds and admin HTML output
- [HU-SEC-006] Frontend article attribs merge allowlist; export ACL; no raw
$_POST - [HU-SEC-007] Mega menu settings sanitization and escaped menu output
Supported environment
| Component | Version |
|---|---|
| Joomla | 3.10.x |
| Helix plugin | 2.1.0 – 2.1.3 (patched to 2.1.4-j3sec) |
| Template | shaper_helixultimate 2.1.x |
| PHP | 7.2.5 – 8.0 (recommended 7.4 or 8.0) |
Per Joomla 3 technical requirements.
Backup first
Always test on staging first.
- Custom mega menu HTML or badge text may be stripped by sanitizers
- Blog audio/video embeds are filtered to an allowlist of safe tags
- Template overrides in
templates/shaper_helixultimate/html/are not modified
Install
- Backup site files and database
- Joomla Administrator → System → Install → Extensions
- Upload
helixultimate_j3_security_fixes_v1.0.0.zip - Confirm success message; package removes itself automatically
- Audit log written to
administrator/logs/helix_j3_security_applied.json