Downloads

Download webform-6.x-3.19.tar.gztar.gz 136.34 KB
MD5: 2d2b935bec4691f11d73bb3c563eafeb
SHA-1: 36c66996e5a8a1f6b619c9f763fe0a28a044726f
SHA-256: 9581886daaffd238ea8ee24b5ecd395cb4d9d4ad0533bdd186327066687f6b0f
Download webform-6.x-3.19.zipzip 170.47 KB
MD5: 194db01102f87f585008c354dbc8b809
SHA-1: 8ce369aa482b898f496cc3ac89422ef5f14a744b
SHA-256: e11c4448fa425996639859c89b0bbbd00490b00406c3319ce376acd927bd359d

Release notes

This release of Webform fixes a security vulnerability where unsanitized labels could be displayed to users creating or configuring Webform content. This problem only exists in the Drupal 6 version of Webform. For more information see SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS).

In addition to the security fix, this maintenance release includes several bug fixes as listed below. Upgrading is recommended for all users of Webform 3.x.

Bug fixes since 6.x-3.18:

  • #1844278 by Liam Morland: Spelling mistakes.
  • #1462986: Undefined index: #webform_component in select.inc.
  • #1720922: Notice: Undefined index: aslist in webform_select_options_ajax().
  • #1762262: Option for "Parent fieldset" should not hinge on fieldsets alone.
  • #1724480 by Alan D., fenstrat: Added API docs for _webform_theme_component() to show that path parameter is required.
  • #1730714: Allow private option to be editable in Form Builder.
  • #1512902 by rocketeerbkw and tim.plunkett: Document hook_webform_results_access().
  • #1577640 by pebosi: Fixed webform-results-submissions typo in template file.
  • #1681390 by taldy and quicksketch: Adding components doesn't work when button text was changed.
  • #1677020 by stella: Add "hour" and "minute" classes to the time component fields.
  • #1689860 by bdone: Document hook_webform_submission_access().
  • #1662892 by Liam Morland: Default value radio should not appear for Webform grid elements.
  • #1458330 by Liam Morland: Empty string number components throw PHP notice on display.
  • #1690548 by acbramley and Liam Morland: Warning: number_format() expects parameter 1 to be double, string given in _webform_csv_data_number().
  • #1276550 by acbramley: Anonymous users may not use site default timezone.
  • #1698928 by Liam Morland: Display options: private should not depend on title_display.
  • #1611772: Cannot create Number component that allows Decimal input that works in some browsers.
  • #1615534: Add #type="actions" wrapper around buttons.
  • #832952 by dsayswhat: Popup calendar does not work within Panels.
Created by: quicksketch
Created on: 29 May 2013 at 20:36 UTC
Last updated: 1 Aug 2018 at 23:20 UTC
Git tag 6.x-3.19
Security update
Bug fixes
Insecure

Other releases