Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Release notes
This release of 7.x-3.x fixes one security issue and a number of bugs. Updating is strongly recommended for all users of the webform 7.x-3.x branch.
See SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS) for details.
Security issue
When a webform component is used as the "To" address or addresses for sending an e-mail, the name of the component is not sufficiently sanitized when it is displayed in the list of e-mail settings, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or update webform nodes. This permission is normally granted only to administrative users.
Changes since 7.x-3.22:
- #153017 by Dan Chadwick: Incorrect display of select component in e-mail list.
- #2327993 by torotil, DanChadwick: Breadcrumb and active menu trail incorrect on submission confirmation page
- #1919872 by torotil, DanChadwick: Skip hook_node_view() if webform is not rendering a form for a view mode.
- #2396083 by DanChadwick, torotil: Notice: Undefined index: #default_value in webform_expand_select_or_other()
- #1332820 by torotil, csdco, quicksketch, gstout, manoloka: Parts of nested tokens (in fieldsets) printed.
- #1737236 by dwieeb: Fixed docblock for hook_node_delete().
- #2303607 by theunraveler: Fixed Entity cache not cleared properly when adding/editing/deleting webform emails.
- #2031937 by DanChadwick: Fixed Document hook_webform_results_clear_access() in webform.api.php.
- #914814 by DanChadwick: Fixed escaped checkbox option values are not saved (keys with quotes or ampersands).
- #2442241 by markus_petrux: Translatable property for 'Other' option text is missing
- #2213945 by torotil: unique validation terribly slow on large databases (due to missing index).
- #2215947 by quicksketch, David_Rothstein: "Previous" button on multistep forms breaks the form when a webform is panelized.