Download webform-7.x-4.14.tar.gztar.gz 238.79 KB
MD5: 9d28b1cbc3d380074b6926181543e445
SHA-1: 9ac975d8d45bc7b9ee8f2e7a91dbcae9ffa31e93
SHA-256: 1c49d6cbc13d328e6cfd704928fa9175b19951c2c0aff72c7f3f53100ff9140c
Download webform-7.x-4.14.zipzip 288.82 KB
MD5: f847b8b6bb586eeda84c43d6977ea00b
SHA-1: 731f6245389376de76e61c0cee94d240c8c7f05c
SHA-256: a710f781a587f32247d8941207ba254952ac7c5252d7e66c5b77cf7d949b0986

Release info

Created by: DanChadwick
Created on: 28 Aug 2016 at 12:14 UTC
Last updated: 13 Apr 2017 at 18:14 UTC
Core compatibility: 7.x
Release type: Bug fixes, New features

Release notes

7.x-4.14 is a primarily bug fix release. Updating is recommended for all users of the 7.x-4.x branch.

The majority of the issues addressed in this release arose from community-written patches. A few received community review while the bulk were maintainer-reviewed. The best path to having your pet issues resolved is to write clear issue summaries, provide patches, and then review other patches with a request to receive reciprocal community review.

Security hardening

While this is not a security release, it does contain two improvements to let users better understand the security ramifications of two preexisting features:

  • Changing disabled components. The description of the disabled option now clarifies that it is still possible for a user to use developer or JavaScript tools to modify the value of a disabled component. This is by design and is considered desirable. To store a submission value that cannot be changed by the user, use a hidden component with the "secure value" option.
  • Submission results downloaded as delimited text files (e.g. CSV). Some spreadsheets interpret cell data within a delimited text file as a formula, leading to a formula injection vulnerability in the spreadsheet. Data submitted by untrusted users that may be opened by a spreadsheet should be downloaded in Microsoft Excel format rather than delimited text format. The Webform submission download page makes this clear.

Upgrading from Webform 3.x to 4.0

Upgrading is recommended for all Webform 3.x users who have determined that any related modules are compatible with Webform 4. Make a database backup prior to upgrading. See the API changes between 3.x and 4.x documentation for more information.

Changes since 7.x-4.13:

  • #2712611 by grahamC: Fixed re-parented components deleted with old parent.
  • #2688621 by joelstein: Added hide additional extensions field on file component if no access via form_alter.
  • #2614384 by ben.bunk: Added let Drupal determine enctype of a form.
  • #2661718 by Nicolaj, DanChadwick: Fixed no server side validation of required grid components.
  • #2690815 by guilopes: Fixed integrity constraint violation when trying to save conditionals via features.
  • #2673050 by FeyP: Fixed refresh entitycache after changing email status on email overview page.
  • #2733427 by anrikun: Fixed PHP warning: min(): Array must contain at least one element in webform_expand_grid.
  • #2786933 by grahamC: Fixed conditionals lost during update from 3.x.
  • #2788981 by Liam Morland: Fixed documentation for _webform_submission_serial_next_value_used.
  • #2627874 by Rade, DanChadwick: Fixed space used as thousands separator produces validation error.
  • #2768023 by kanei, DanChadwick: Fixed allow #element_validate and select options_callback to be a php callables rather than function names.
  • #2612844 by tom_ek, DanChadwick: Fixed non-required partial dates fail validation with no value entered.
  • #2788591: Added warning about opening CSV files with spreadsheets.
  • #2678704 by DanChadwick: Fixed description of disabled components to allow for change via JavaScript or dev tools.
  • #2784455 by Roshni Patel, 3rik5: Fixed description displays between field prefix and input for number/text components when above.
  • #2644830 by DanChadwick: Standardize name of field's form key to "Form key".
  • #2784329 by DanChadwick: Fixed defining conditionals with multiple actions.


The selected release is the release that will be used for automated testing. Optional projects are only used for testing.