Security update

This release of Webform fixes a few issues discovered since the 3.16 release, specifically around the new AJAX-enabled file component added in 3.16, as well as some long-standing minor bugs. This release also includes a security fix related to using Webform in combination with Select or Other... module. If you are using Webform and Select or Other modules together, please upgrade your site immediately. See SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS) for more details.

Bug fixes:

• #1468324: Files are never marked permanent in 7.x-3.16.
• #1472140: Drupal 6 number components missing label on submission display.
• #1462286 by cbrasfield: Webform Components Clone cid variable is unset, but never actually re-set.
• #1207374: Node tokens (provided by Webform) don't work as default values or description.
• #1287474 by joachim: Don't show 'resend emails' action on the submission when there are no emails.
• #1469530: Pass setcookie() HTTPONLY to prevent cross-site scripting.

This release of Webform fixes a few issues discovered since the 3.16 release, as well as some long-standing minor bugs. This release also includes a security fix related to using Webform in combination with Select or Other... module. If you are using Webform and Select or Other modules together, please upgrade your site immediately. See SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS) for more details.

Bug fixes:

• #1472140: Drupal 6 number components missing label on submission display.
• #1462286 by cbrasfield: Webform Components Clone cid variable is unset, but never actually re-set.
• #1207374: Node tokens (provided by Webform) don't work as default values or description.
• #1287474 by joachim: Don't show 'resend emails' action on the submission when there are no emails.
• #1469530: Pass setcookie() HTTPONLY to prevent cross-site scripting.
• #1470262 by bart.hanssens: Use the request_uri() function instead of $_SERVER['REQUEST_URI '] for Non-Apache servers.

This release addresses a cross-site scripting (XSS) vulnerability. Due to this vulnerability, a user could inject arbitrary scripts into pages affecting other site users. This could result in administrative account compromise leading to web server process compromise. This vulnerability is mitigated by the fact that an attacker must have the necessary permissions to administer blocks. SA-CONTRIB-2012-032 - Block Class - Cross Site scripting

This release addresses a cross-site scripting (XSS) vulnerability. Due to this vulnerability, a user could inject arbitrary scripts into pages affecting other site users. This could result in administrative account compromise leading to web server process compromise. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages."

SA-CONTRIB-2012-033 - Read More Link - Cross Site Scripting

Changes since 7.x-1.0-alpha2:

• SA-CONTRIB-2012-030 - Data - Cross Site Scripting (XSS)
• by joachim: Fixed output of data table title.
• #1419798 by mikestefff, joachim: Fixed error in tests; changed custom query class to use db_delete(); removed hook_data_delete_query_alter().
• #1451666 by joachim: Removed module_exists() checks on schema module.

Changes since 6.x-1.0:

• SA-CONTRIB-2012-030 - Data - Cross Site Scripting (XSS)
• #1451666 by joachim, mottihoresh: Removed module_exists() checks on schema module.