Install
Works with Drupal: 7.xUsing Composer to manage Drupal site dependencies
Downloads
Release notes
This release of 7.x-4.x fixes one security issues and a number of bugs. Updating is strongly recommended for all users of the 7.x-4.x branch. See SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS) for details.
Security issue
When a webform component is used as the "To" address or addresses for sending an e-mail, the name of the component is not sufficiently sanitized when it is displayed in the list of e-mail settings, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or update webform nodes and edit webform components and settings. This permission is normally granted only to administrative users.
Upgrading from Webform 3.x to 4.0
If you're upgrading from Webform 3.x, please make a database backup prior to upgrading and check that all modules that extend Webform on your site are Webform 4.x compatible. Slight differences in the class names and IDs may result in updates being needed to your site's CSS. See the API changes between 3.x and 4.x documentation for more information.
Upgrading is recommended for all Webform 3.x users who have determined that any related modules are compatible with Webform 4.
Changes since 7.x-4.4:
- #153017 by Dan Chadwick: Incorrect display of select component in e-mail list.
- #2449383 by Upchuk, DanChadwick: Select list component display incorrectly orders items; should match component order
- #2452845 by DanChadwick: Whitespace and capitalization adjusted to standards.
- #2452771 by DanChadwick: Use views tag of 'webform' for webform built-in views
- #2451077 by skyhawk669: Cannot resend emails for results of webform using conditional email feature
- #2449501 by DanChadwick: Site name containing UTF-8 used with emails with Reply-To feature
- #2447745 by DanChadwick: Value of a hidden field should be empty in browser
- #2396083 by DanChadwick: Notice: Undefined index: #default_value in webform_expand_select_or_other().
- #2446083 by DanChadwick: Inter- plus intra-page conditions don't get inter-page values
- #2424243 by Leksat, DanChadwick: Fixed numeric keys in Javascript settings.
- #2445931 by DanChadwick: Webform advanced feature to index forms should be replace by view mode.
- #1919872 by DanChadwick: Skip hook_node_view() if webform is not rendering a form for a view mode.