NXP Docs

Appearance

Changelog

All notable changes to NexusConsent will be documented here.

[1.3.0] - 2026-02-20

Changed

  • Modern DI bootstrap — Added services/provider.php; the plugin is now loaded via Joomla's dependency injection container (PluginInterface + SubscriberInterface) instead of the legacy entry file
  • Removed legacy entry file — Deleted nexusconsent.php (1 081-line legacy class); runtime is now handled entirely by src/Extension/NexusConsent.php
  • Removed legacy export field — Deleted fields/nexusconsentexport.php; the namespaced src/Field/NexusconsentExportField.php is the sole implementation
  • Manifest cleanup — Removed fields folder and addfieldpath attributes from fieldsets; added services folder
  • Upgrade script — Added script.php to clean up orphaned legacy files (nexusconsent.php, fields/) on upgrade from older versions
  • ES6+ inline JavaScript — Modernised all inline JS in src/Field/ form fields (varconst/let, arrow functions, for...of, .includes()); PHP values passed via data-* attributes instead of heredoc interpolation
  • Modern event dispatcher — Replaced deprecated $app->triggerEvent() calls with $app->getDispatcher()->dispatch() using GenericEvent (forward-compatible through Joomla 7)

Fixed

  • Block patterns now match protocol-relative URLs (//cdn.example.com) in addition to https:// and http:// URLs
  • Site scanner now detects scripts loaded with protocol-relative URLs (//cdn.example.com)
  • Fixed literal \n appearing in pattern textareas when adding scan results (nowdoc escape correction)

Security

  • CSV formula injection — CSV export now sanitises cells starting with =, +, -, @, tab or carriage return to prevent formula execution when opened in Excel or LibreOffice
  • Client-side protocol bypass — JavaScript mutation observer now strips protocols from patterns before matching, preventing // and http:// URLs from bypassing client-side blocking
  • Endpoint override validation — Same-origin check now verifies the character after the root prefix, preventing example.com.evil.tld from passing as same-origin

Added

  • Legal disclaimer — Added a disclaimer to the plugin description noting that NexusConsent is a technical tool, not legal advice
  • Database index — Added idx_updated_at index on #__nexus_consents.updated_at for efficient retention purge queries; upgrade script adds the index to existing installations

Changed (compliance)

  • Consent records preserved on uninstall — The #__nexus_consents table is no longer dropped when the plugin is uninstalled, preserving the audit trail required by GDPR Article 7(1). Admins can drop the table manually if needed.

Fixed (correctness)

  • Upsert false negatives — Replaced two-step UPDATE-then-INSERT with INSERT ... ON DUPLICATE KEY UPDATE, eliminating false failures when consent data is unchanged
  • show_attribution default — PHP fallback now matches the XML manifest default (0 instead of 1)

1.2.0 - February 2026

Added

  • Microsoft Clarity Consent API v2 integration
  • Clarity added to default analytics block patterns
  • Preset Library for quick-add service patterns
  • Site Scanner for server-side detection of external scripts/styles
  • Empty category hiding in consent UI when no patterns exist
  • "Only essential cookies" message when all optional categories are empty
  • Per-category "Reset to defaults" actions for pattern fields

Changed

  • Pattern defaults now apply only on first install
  • Saved empty pattern fields remain empty after save
  • Frontend category payload now includes only categories with patterns

1.0.2 - 2025-01-09

Fixed

  • Minor bug fixes and stability improvements

1.0.1 - 2025-10-15

Fixed

  • Compatibility improvements for Joomla 5.2+
  • Cookie path handling edge cases

1.0.0 - 2025-09-01

Initial public release of NexusConsent for Joomla 4.x/5.x.

Added

  • Analytics (Google Analytics, Hotjar, Mixpanel, etc.)
  • Marketing (Facebook Pixel, LinkedIn, TikTok, etc.)
  • Functional (Google Fonts, Maps, OpenStreetMap)
  • Preferences (custom patterns)
  • Necessary (always enabled, non-optional)
  • Banner or full-screen modal (require-decision mode)
  • Light/Dark/Auto theme support
  • Custom accent colors
  • Repositionable floating "cookie settings" button
  • ARIA live regions and keyboard navigation
  • Focus trapping in modal mode

Server-Side Blocking

  • Blocks scripts, styles, and inline initialisers until consent
  • Pattern-based URL matching for third-party services
  • Preserves CSP nonces and integrity attributes
  • Works with strict Content Security Policy
  • Analytics and ad storage defaults to denied
  • Instant updates when visitors change choices
  • Compatible with Google Tag Manager

Privacy Features

  • Consent cookie contains only version, timestamp, UUID, and category map
  • IP addresses masked in audit log (IPv4 /24, IPv6 /64)
  • Configurable cookie name, path, and lifetime
  • Database retention controls with auto-cleanup

Audit Trail

  • Optional database logging of consent events
  • CSV export for compliance reporting
  • Configurable retention period

Developer Features

  • onNexusConsentGiven event hook
  • onNexusConsentRevoked event hook
  • Manual script guarding via data-consent attribute
  • Optional TCF v2 stub for ad platform compatibility

Security

  • First-party cookie only
  • No external dependencies for core functionality
  • CSRF protection on consent save endpoint