Generally, apps running in v3 are compatible in v4. However, there is greater emphasis on security in v4 so the following exceptions apply:
- Form Elements - Form labels and values now do not allow script execution to prevent possible cross-site scripting (XSS) vulnerabilities. Apps that depend on scripting will need to place such scripts into Custom HTML elements.
- Readonly Form Elements - Previously, form read-only field values are not editable in the browser, but get stored in the database upon form submission. In v4, read-only field values are no longer stored to prevent unintended modifications using client-side browser tools such as Browser Console, Firebug, etc.
- JSON API Request Methods – Previously, JSON API calls that modify the state of a process (e.g. start a process, complete an assignment, etc) support both HTTP GET and POST. In v4, only POST requests are supported to prevent cross-site request forgery (CSRF) attacks. Read-only API calls are unchanged. Please refer to the latest JSON API reference in the Knowledge Base at JSON API
- JSON API Responses – In v4, all JSON API calls respond with JSON responses only. Previously, failed authentication will redirect the request to a login page, but a failed authentication now would result in a JSON 401 response e.g.
- JSON API Authentication – The JSON API now supports basic authentication, so this would be the recommended authentication mechanism when combined with HTTPS.
Apps that make use of the above may need to be modified and tested accordingly.