From 32444af374e7e65f92deee41c9a7e9c9a7a38d9e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 30 Jan 2026 05:18:44 +0000
Subject: [PATCH] Add security documentation for custom head content feature

Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com>
---
 SECURITY.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 4a48a2d..33d286b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -123,6 +123,25 @@ Security posture is reinforced through operational controls:
 * Consistent path normalization and whitespace hygiene checks where required for release correctness.
 * Least privilege for GitHub Actions permissions.
 
+### Template Security Features
+
+**Custom Head Content Injection**
+
+The template provides Custom Head Code fields (`custom_head_start` and `custom_head_end`) that allow administrators to inject custom HTML, CSS, and JavaScript code. This is an intentional feature for:
+
+* Adding analytics scripts (Google Analytics, Google Tag Manager)
+* Custom meta tags
+* Third-party integrations
+* Custom styling
+
+**Security Considerations:**
+
+* These fields use `filter="raw"` to allow HTML/JS injection
+* **Access is restricted to Joomla administrators only** via template configuration
+* This is not an XSS vulnerability as it requires administrator privileges
+* Administrators should only add trusted code from verified sources
+* Regular security audits should review custom head content
+
 This policy does not guarantee that all vulnerabilities will be prevented. It defines how risk is managed when issues are discovered.
 
 ## Safe Harbor