webform 7.x-4.4

This release of 7.x-4.x fixes two security issues, a number of bugs, and introduces new features. Immediate updating is strongly recommended for all users of the 7.x-4.x branch. See SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS) for details.

Security issues

1. Webform did not sufficiently escape user data presented to administrative users in the webform results table, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission to submit a webform and the administrative user must subsequently visit the webform's results table tab.
2. When a webform is made available as a block, the node's title is used as the default block title. This title was not sufficiently sanitized, leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission to administer blocks and create or edit webform nodes.

Security Advisory

Upgrading from Webform 3.x to 4.0

If you're upgrading from Webform 3.x, please make a database backup prior to upgrading and check that all modules that extend Webform on your site are Webform 4.x compatible. Slight differences in the class names and IDs may result in updates being needed to your site's CSS. See the API changes between 3.x and 4.x documentation for more information.

Upgrading is recommended for all Webform 3.x users who have determined that any related modules are compatible with Webform 4.

Changes since 7.x-4.3:

• #SA-152388 by DanChadwick: Improve handling of plain format for view row plugin and submission data handler.
• #SA-152635 by DanChadwick: Fixed default block title.
• #2444339 by DanChadwick: Undefined index in webform_handler_area_result_pager and related handler bugs.
• #2327993 by DanChadwick: Breadcrumb and active menu trail incorrect on submission confirmation page.
• #2416013 by DanChadwick: Fixed Excel export submission timestamp is in UTS; should be local time.
• #2443373: drush wfx --format=excel cannot create fite
• #2226795 by DanChadwick: Fixed drush wfx range command do not work.
• #2438363 by DanChadwick: Added a check for #ajax in webform_pre_render_remove_id.
• #2420249 by DanChadwick: Added option to force Excel wordwrap.
• #2416191 by DanChadwick: Fixed no-header output for Excel so that output rows aren't skipped.
• #2125543 by DanChadwick: Fixed export to Excel should use UTF-8 charset in htmlspecialchars().
• #2416191 by DanChadwick: Added wfx option to skip the header by setting header-keys none (-1).
• #914814 by DanChadwick: Fixed escaped checkbox option values are not saved (keys with quotes or ampersands).
• #2125543 by DanChadwick: Fixed Excel reports Webform export files are corrupted when some characters are entered in text fields.
• #2442241 by markus_petrux: Fixed #translatable property for 'Other' option text is missing.
• #2428413 by jamesbisset, DanChadwick: Added drush wfx can't exclude draft submissions.
• #2442117 by COBadger: Typo: "optin to send" should be "option to send"
• #2422611 by DanChadwick: Fixed text on preview page when editing a submission with custom Submit button label.
• #2390833 by DanChadwick: Unchecked single checkbox not saved, shows as checked
• #2429747 by DanChadwick: Allow markup components to display on submission without theming.
• #1509424 by thijsvdanker: Access regression for webform/ajax/options/%webform_menu.
• #2428037 by DanChadwick, agoradesign: Make max_input_vars check optional
• #2426763 by DanChadwick: PDOException on analysis of option-less select component.
• #2416241 by DanChadwick: Use views to display table of webforms.