webform 7.x-3.23

This release of 7.x-3.x fixes one security issue and a number of bugs. Updating is strongly recommended for all users of the webform 7.x-3.x branch.
See SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS) for details.

Security issue

When a webform component is used as the "To" address or addresses for sending an e-mail, the name of the component is not sufficiently sanitized when it is displayed in the list of e-mail settings, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or update webform nodes. This permission is normally granted only to administrative users.

Changes since 7.x-3.22:

• #153017 by Dan Chadwick: Incorrect display of select component in e-mail list.
• #2327993 by torotil, DanChadwick: Breadcrumb and active menu trail incorrect on submission confirmation page
• #1919872 by torotil, DanChadwick: Skip hook_node_view() if webform is not rendering a form for a view mode.
• #2396083 by DanChadwick, torotil: Notice: Undefined index: #default_value in webform_expand_select_or_other()
• #1332820 by torotil, csdco, quicksketch, gstout, manoloka: Parts of nested tokens (in fieldsets) printed.
• #1737236 by dwieeb: Fixed docblock for hook_node_delete().
• #2303607 by theunraveler: Fixed Entity cache not cleared properly when adding/editing/deleting webform emails.
• #2031937 by DanChadwick: Fixed Document hook_webform_results_clear_access() in webform.api.php.
• #914814 by DanChadwick: Fixed escaped checkbox option values are not saved (keys with quotes or ampersands).
• #2442241 by markus_petrux: Translatable property for 'Other' option text is missing
• #2213945 by torotil: unique validation terribly slow on large databases (due to missing index).
• #2215947 by quicksketch, David_Rothstein: "Previous" button on multistep forms breaks the form when a webform is panelized.