7.x-4.14 is a primarily bug fix release. Updating is recommended for all users of the 7.x-4.x branch.
The majority of the issues addressed in this release arose from community-written patches. A few received community review while the bulk were maintainer-reviewed. The best path to having your pet issues resolved is to write clear issue summaries, provide patches, and then review other patches with a request to receive reciprocal community review.
While this is not a security release, it does contain two improvements to let users better understand the security ramifications of two preexisting features:
- Submission results downloaded as delimited text files (e.g. CSV). Some spreadsheets interpret cell data within a delimited text file as a formula, leading to a formula injection vulnerability in the spreadsheet. Data submitted by untrusted users that may be opened by a spreadsheet should be downloaded in Microsoft Excel format rather than delimited text format. The Webform submission download page makes this clear.
Upgrading from Webform 3.x to 4.0
Upgrading is recommended for all Webform 3.x users who have determined that any related modules are compatible with Webform 4. Make a database backup prior to upgrading. See the API changes between 3.x and 4.x documentation for more information.
Changes since 7.x-4.13:
- #2712611 by grahamC: Fixed re-parented components deleted with old parent.
- #2688621 by joelstein: Added hide additional extensions field on file component if no access via form_alter.
- #2614384 by ben.bunk: Added let Drupal determine enctype of a form.
- #2661718 by Nicolaj, DanChadwick: Fixed no server side validation of required grid components.
- #2690815 by guilopes: Fixed integrity constraint violation when trying to save conditionals via features.
- #2673050 by FeyP: Fixed refresh entitycache after changing email status on email overview page.
- #2733427 by anrikun: Fixed PHP warning: min(): Array must contain at least one element in webform_expand_grid.
- #2786933 by grahamC: Fixed conditionals lost during update from 3.x.
- #2788981 by Liam Morland: Fixed documentation for _webform_submission_serial_next_value_used.
- #2627874 by Rade, DanChadwick: Fixed space used as thousands separator produces validation error.
- #2768023 by kanei, DanChadwick: Fixed allow #element_validate and select options_callback to be a php callables rather than function names.
- #2612844 by tom_ek, DanChadwick: Fixed non-required partial dates fail validation with no value entered.
- #2788591: Added warning about opening CSV files with spreadsheets.
- #2784455 by Roshni Patel, 3rik5: Fixed description displays between field prefix and input for number/text components when above.
- #2644830 by DanChadwick: Standardize name of field's form key to "Form key".
- #2784329 by DanChadwick: Fixed defining conditionals with multiple actions.