Install

Works with Drupal: 7.x

Using Composer to manage Drupal site dependencies

Downloads

Download webform-7.x-3.22.tar.gztar.gz 133.43 KB
MD5: af8e64222a07a850b5d9d1798a1d1bb2
SHA-1: 56f81b4cbd4e00e6b3200a2ce7ab57654695f2a2
SHA-256: 2937bfcc6ab29312da15bdebfd719309558899db8cc914901a6b6497a7a87694
Download webform-7.x-3.22.zipzip 168.83 KB
MD5: c8cc8c061146b93118fb75f7db811a77
SHA-1: cc3d7822707e1292081e4f73fc33f87789ad0662
SHA-256: 3fa69f1f3148ed4914f0a79efb16f89ecca672d41f5cda04457b43a2e28975ca

Release notes

This release of 7.x-3.x fixes one security issue. Updating is strongly recommended for all users of the 7.x-3.x branch. See SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS) for details.

Security issue

When a webform is made available as a block, the node's title is used as the default block title. This title is not sufficiently sanitized, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

Changes since 7.x-3.21:

  • #SA-152635 by DanChadwick: Fixed default block title.
Created by: DanChadwick
Created on: 3 Mar 2015 at 18:15 UTC
Last updated: 2 Aug 2018 at 04:56 UTC
Security update
Insecure

Other releases