This release of Webform fixes a security vulnerability where unsanitized labels could be displayed to users creating or configuring Webform content. This problem only exists in the Drupal 6 version of Webform. For more information see SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS).
In addition to the security fix, this maintenance release includes several bug fixes as listed below. Upgrading is recommended for all users of Webform 3.x.
Bug fixes since 6.x-3.18:
- #1844278 by Liam Morland: Spelling mistakes.
- #1462986: Undefined index: #webform_component in select.inc.
- #1720922: Notice: Undefined index: aslist in webform_select_options_ajax().
- #1762262: Option for "Parent fieldset" should not hinge on fieldsets alone.
- #1724480 by Alan D., fenstrat: Added API docs for _webform_theme_component() to show that path parameter is required.
- #1730714: Allow private option to be editable in Form Builder.
- #1512902 by rocketeerbkw and tim.plunkett: Document hook_webform_results_access().
- #1577640 by pebosi: Fixed webform-results-submissions typo in template file.
- #1681390 by taldy and quicksketch: Adding components doesn't work when button text was changed.
- #1677020 by stella: Add "hour" and "minute" classes to the time component fields.
- #1689860 by bdone: Document hook_webform_submission_access().
- #1662892 by Liam Morland: Default value radio should not appear for Webform grid elements.
- #1458330 by Liam Morland: Empty string number components throw PHP notice on display.
- #1690548 by acbramley and Liam Morland: Warning: number_format() expects parameter 1 to be double, string given in _webform_csv_data_number().
- #1276550 by acbramley: Anonymous users may not use site default timezone.
- #1698928 by Liam Morland: Display options: private should not depend on title_display.
- #1611772: Cannot create Number component that allows Decimal input that works in some browsers.
- #1615534: Add #type="actions" wrapper around buttons.
- #832952 by dsayswhat: Popup calendar does not work within Panels.