This release of Webform 4.x fixes several issues discovered shortly after the release of 4.0-beta2 (which included a security update). Please read the release notes for 4.0-beta2 for a list of recent changes if upgrading from a previous beta or alpha version.
SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)
This release of Webform 4.x fixes a large number of bugs and addresses an XSS security vulnerability. Beta2 introduces a new feature to preview submissions before submitting them in multipage forms. Upgrading is recommended for all users of Webform 4.x.
This version of Webform moves Webform closer to a stable release. It should also contain the last significant API changes before the release of Webform 4.0. This version adds flexibility around the provided data used to provide analysis, enabling charting of data using the existing hooks. This version also makes some changes to the themed output, if you're overriding theme_webform_element() you may need to update your implementation to ensure conditional functionality continues working.
This release of Webform includes several new features. Including an Excel-native exporter that generates true XLSX files for better compatibility with Excel, Google Docs, OpenOffice and LibreOffice, which can all read and write this file format.
This release also increased PHP requirement to PHP 5.3. Make sure you have it available before upgrading. The new Excel exporter depends on this version of PHP, as well as the ZipArchive PHP extension (which is enabled by default in PHP installations).
This release fixes a major problem when sending e-mails to a custom e-mail value. This release also adds batch-based exporting of results, allowing for large exports of tens of thousands of rows (or more).
These notes are the same as webform 7.x-4.0-alpha7, which was released for a short time but had a critical access control bug. This release is identical to alpha7 with that bug fixed. Thanks @pjcdawkins for reporting the problem.
This release of Webform adds several new pieces of functionality and fixes many bugs in the 4.x branch of the module. New features include HTML5 placeholder support, custom CSS classes for components, better e-mail support, and several other long-requested features.
This release of Webform fixes a security vulnerability where unsanitized labels could be displayed to users creating or configuring Webform content. This problem only exists in the Drupal 6 version of Webform. For more information see SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS).
In addition to the security fix, this maintenance release includes several bug fixes as listed below. Upgrading is recommended for all users of Webform 3.x.
Lots and lots of bug fixes since 7.x-4.0-alpha3. This upgrade is recommended for all Webform 4.x users, as it solves several issues with the conditional support and handling of drafts and multipage forms. Special should out to Liam Morland for all his great work on this release, and to fenstrat, who has joined the Webform development team as a co-maintainer!
#1704158 by fenstrat and quicksketch: Nested components do not display saved draft values.
#1702948 by fenstrat: PHP notice when saving draft in email and textarea components.
#1673422 by rv0: Correct confusing breadcrumb when viewing a submission.
#849574 by minorOffense and quicksketch: Change _webform_submission_user_limit_check function signature to public function.
#1683824 by fenstrat: Allow markup components to be displayed in html/text format.
#1627656 by fenstrat: Conditionals reordering not working.
#1677020 by stella: Add "hour" and "minute" classes to the time component fields.
This release adds an entirely new conditional logic system to Webform. With built-in support for same-page conditionals, multiple conditionals per component, and drastically improved user experience. See issue #1215456: Multiple and same-page conditional rules for background.
The first release of Webform 4.x. This version is identical to the current stable release of Webform (3.18), but includes the patch at #1001798: Rewrite token replacement system to use D7 tokens. Being a new branch, the 4.x APIs may change in the future and not be compatible with other Webform add-on modules.