Download views-7.x-3.6.tar.gztar.gz 1.56 MB
MD5: 1531a1ece3970332db1559b854f5dcc9
SHA-1: ba3b766cbf2ac884d0c2f632ea341abd9bda2a71
SHA-256: fe230f80ff59f34f38075707759db596766dddf4fe996a3adf8bc2c9e5ea7b26
Download views-7.x-3.6.zipzip 1.79 MB
MD5: 0d7c7de301caa52670869060e22d1ef3
SHA-1: 6e25f9037dd928b14d47693b9097001ffd44a627
SHA-256: da4a9eb08721d5171c4da5e7cdd71f8f62fcb032558eb6263290ee88109bbb12

Release info

Created by: dawehner
Created on: 20 Mar 2013 at 20:10 UTC
Last updated: 21 May 2014 at 15:55 UTC
Core compatibility: 7.x
Release type: Security update

Release notes

The security issue in views is caused by various places in the views UI where a string is not sanitized,
because it has been assumed to be static and by commiters, though you can change some of these strings using other administrative permissions. SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)

Other commits:

  • #82088 by grisendo: Add sanitation in various places in the views UI
  • #1920690 by jnettik: Added Allow for inline to be configured for jump menus.
  • #1551534 by bcn: Added Allow a button in an exposed forms to trigger ajax.
  • #1914024 by peximo | heyyo: Fixed Title-overriden term name not translated on a taxonomy overriden views page.
  • #1889198 by Pedro Lozano: Fixed Performance problem in _views_fetch_data(), multiple unnecessary cache rebuilds.
  • #1496418 by dawehner, hass, webflo: Fixed Views: Don't change capitalization of translatable strings with CSS.
  • #1852116 by Les Lim, Chris Burge: Added Backport from D8: Customizable true/false Views output for booleans.
  • #1294056 by dawehner | wgthompson: Fixed Cannot use Aggregator IID in Contextual Filter.
  • #1514162 by SteveTheRed: Fixed Regular expression filters on numeric fields produce invalid SQL.
  • #1947444 by ericduran: Fixed Do not always apply the jQuery UI dialog patch.
  • #1920278 by greggles, dawehner: Indicate that 'administer views' and 'access all views' is kind of a big deal by making it 'restrict access' -> true.
  • #1525152 by dawehner, Berdir, Georgique: Fixed format_key() handling broken which results in lost translations.
  • #1306564 follow-up by damiankloip, jweowu: Added Remove contextual links from rendered view.
  • #857282 by dawehner, slv_ | Bojhan: Fixed Advanced help message.
  • #1879290 by xiukun.zhou | rb2k: Fixed Error 'Use of undefined constant link_url() on default homepage.
  • #1391856 by mariacha1 : Don't export field display_options()['fields']['url']['alter']['target'] as translatable string.
  • #1804448 by naxoc: Fixed Code from documentation is causing PHP notices.
  • #1831142 by damiankloip, mducharme, dawehner: Fixed Path is never empty in option summary.
  • #1874838 by Itangalo, dawehner: Added Allow exposed blocks to use 'Link display' settings.
  • #1852588 by Ivan Zugec | toomanypets: Fixed Incorrect filename in documentation.
  • small codestyle fixes in the prev. commit
  • #1863020 by amarnus: Fixed View's build fails when an unrelated form on the same page has validation errors.
  • #1862014 by tim.plunkett, agentrickard: Fixed Revision handler makes assumptions about path.
  • #1069326 by atouchard, dawehner, greggles | dgiamporcaro: Fixed access arguments on admin/views/ajax/autocomplete/user ajax call.
  • #1855816 by Hydra: Fixed Disableing 'Add views row classes' causes div's with whitespace.
  • #1844276 by nagwani, YesCT | jweowu: Fixed Spelling mistake.
  • #1677692 by damiankloip, ptrl, kid_icarus | chebureque: Fixed Remove duplicates from exposed search filter results.
  • #1807916 by David_Rothstein | Gode: Fixed Reset button on exposed filters causes a redirect loop in Drupal 7.17.
  • #1829734 by dawehner, dww: Expose tracker data to views.
  • #1625248 by Jorrit | sigent: Fixed Mini Pager ('tags') aren't being applied.
  • #1822440 by ezra-g: Fixed 'Content access' filter should check for node_grants() implementations before adding node access grant queries.
  • #1815062 by Ignigena | jhr: Typo 'Standard derivation' to 'Standard deviation' .
  • #1809510 by erikwebb: Added Make render time performance metric accessible in hook_views_post_render().
  • #1752062 by NewSky, dawehner, shardach: Fixed Fatal error: Unsupported operand types in [path to drupal]/sites/all/modules/views/includes/ on line 1032.
  • #1507854 by rooby, mgifford: Added the ability to have a label for jump menu selector fields.
  • #843708 by colan, mgifford, samuelsov, greggles, dawehner: Added option to set caption in the html table (Accessibility).
  • #1421844 by catch, bdragon, swentel | thebuckst0p: Fixed views_fetch_data() cache item can reach over 10mb in size.
  • #948198 by Darren Oh, dawehner | perandre: Added Option not to display Order selectbox when using Exposed sort criterion.
  • #1646392 by ygerasimov, damiankloip | henrikakselsen: Fixed Getting a 'No views match the search criteria.' on the main views screen.
  • #1782678 by Pierre Paul Lefebvre: Fixed 'Combine fields' filter doesn't work with 'Contains any word'.
  • #1515156 by plach, fabsor, steinmb: Added Expose the field language column for translatable fields.
  • #1496418 by dawehner, webflo, hass: Fixed Remove capitalization abuse in strings.
  • #1791372 by yannickoo: Added 0 and 1 to views_handler_field_boolean().
  • #1751460 by sphism: Clarify the empty result settings description on fields.
  • #1754354 by andypost, Staratel | bjarkig82: Change the node_revision default_relationship to use a vid join to match the previous behaviour.
  • #1765824 by tim.plunkett: Issue #1765824 by tim.plunkett: Make define_mappings on map style plugin abstract.
  • #1765824 by tim.plunkett: Added Provide a way to map views fields to a certain meaning.
  • #1765724 by tim.plunkett: Fixed options_form() is called twice for Page and Feed.
  • #1632504 by joachim: Fixed views_handler_field_term_link_edit() should check it actually has a term tid.


The selected release is the release that will be used for automated testing. Optional projects are only used for testing.



No optional projects