Last update: Download PDF Edit


  • Ticket 20188: Update changedDate attribute when uploading a file.


  • Ticket 18514: Add ‘Cache-Control: no-cache’ header to responses for HTTP POST requests.


  • Ticket 18211: Made importing XML documents more secure.
  • Ported a fix from Mendix version 4 which fixes a problem running Mendix in Eclipse with Java version 6u45 or 7u21 and above.


  • Ticket 17395: Fixed stack issue in Firefox causing large forms not being rendered completely.
  • Ticket 17448: Added Jetty options request_header_size and response_header_size.


Please read the accompanying tech post if you have upgraded to Mendix 4.4.0 or 3.3.5 or if you have applied the manual JavaScript fix for Firefox 18.

  • Ticket 16949: Improved concurrency in webservice handling.
  • Ticket 16987: Added Jetty options request_header_size and response_header_size.
  • Ticket 16669, 16860, 17036: Fixed navigation issue where a user could end up on an empty screen, the previous form or the homeform while opening a form via the navigation bar or by microflow.


  • Ticket 16780: Fixed IE10 compatibility issues
  • Ticket 16794: Fixed issue with cloud security and rendering of XHTML in document template dynamic labels


  • Ticket 16058, 16259: Fixed issues with PDF and HTML generation with cloud security enabled.
  • Ticket 16190: Fixed an issue with updating data views with a microflow data source.
  • Ticket 16199: Work around Firefox 18+ bug.
  • Ticket 16327: Fixed issue with manageable roles.
  • Ticket 16475: Fixed an issue where access rules were not applied correctly.


  • The Mendix Runtime now marks the session cookie as HTTP-only. As a result, the browser makes sure that client-side JavaScript code can not access the session cookie. This is an additional line of defence: even if your app is vulnerable to XSS attacks, the session cookie cannot be read.
  • The Mendix Runtime now examines the HTTP request that it receives and looks for the ‘X-Forwarded-Scheme’ HTTP header. If that header has the value ‘https’, the cookie that is sent back is marked as secure. As a result, the browser only sends the cookie over secure HTTPS connections, thus preventing a man-in-the-middle attack to obtain the session ID.
    • In most deployment scenarios, the Mendix Runtime is located behind a separate web server. This web server takes care of encrypting the connection to end-users using HTTPS. You should configure this web server so that it adds the ‘X-Forwarded-Scheme’ HTTP header with value ‘https’ to the request in order to have the Mendix Runtime add the ‘Secure’ flag to the cookies it sends back. If your application is running in the Mendix Cloud you do not have to configure anything, if you upgrade to this Mendix version and re-deploy everything is configured automatically.
  • The Mendix runtime no longer mentions the member name in a “no access” error message, but gives a generic error message instead, to prevent attackers from learning too much about the domain model of your application.
  • When using the Export to Excel/CSV functionality the Mendix Runtime now creates a private file document instance that is only readable by the owner of the document. Excel/CSV files are deleted after downloading, but this mechanism is not infallible so it is not unthinkable that certain exported documents remain on the server, which could in theory be accessed by all users. We recommend to check your server and remove exports that are not properly removed yet.
  • We made the access rules for the System.FileDocument and System.Image entities configurable in the Project Security dialog. In previous versions when using System.FileDocument or System.Image directly (as opposed to using a specialization, which is recommended!), all users of the system (including anonymous users, if enabled) could see those files. From now on for new projects those entities have no access rules defined. Existing projects have full access defined for all users because of backward compatibility, but a warning is generated in the Modeler that urges you to fix this.
    • After converting your existing project, you should remove the access rules for entities System.FileDocument and System.Image in the Project Security dialog. To be able to do this, you should not create instances of System.FileDocument or System.Image directly. Instead, use a specialization of System.FileDocument or System.Image that suits your specific use case and configure security for that entity.


  • Ticket 13071: Fixed: Formatting values changed with inline editing in DataGrid
  • Ticket 12902: Fixed: History issues with uploads in Google Chrome Frame
  • Ticket 13006: Fixed: Refresh the DataGrid when finished with inline editing
  • Ticket 12540: Fixed: Alignment of DataGrid headers with columns
  • Ticket 12727: Stop collecting object refreshes when objects were refreshed in a system session, this led to memory consumption.


  • Ticket 12413: Fixed race conditions in client that could result in lost focus.
  • Tickets 12507, 12501: Fixed showing value over association when walking over a reversed association with owner set to BOTH.
  • Ticket 12489: Fixed NaN being sent from the client to the Runtime for empty values



  • Ticket 11054: Added support for WSDL import statements.
  • Tickets 3144, 12025, 11503, 12283: Export to and import from Excel in the batch translate/replace dialogs.
  • Edit multi-line texts in the batch translate/replace dialogs in a pop-up dialog.
  • Tickets 2942, 9304, 11226, 3145: Show where texts occur in the batch translate/replace dialog.
  • Tickets 12174, 11493: You can now use the ‘reverse merge’ feature to undo changes that were committed.
  • Ticket 11669: Added possibility to ignore nested data views in tab order.


  • Ticket 11510: Generate CSV/XLS asynchronously.
  • Tickets 11506, 11243: Export to Excel / CSV show progress bar.
  • Ticket 12116: Make IDatavalidation available in Java.
  • Ticket 11350: Image caching improvement.
  • Ticket 11349: Cache files downloaded using the file handler when they have not changed.
  • Ticket 11453: Unofficial support for running the server on alternative JDKs (with a warning shown in log).
  • Ticket 11564: Escape key can be used to choose the ‘Cancel’ button in many more dialogs now.
  • Ticket 12147: The class and style properties of widgets are now also included when searching for text.
  • Tickets 2944, 2941: Texts in the batch translate/replace forms can be copied.
  • Ticket 11263: When reaching the end of the client history, do not show the text “This pages does not exist anymore.” but go to the home form instead.
  • The Java runtime can be assigned more than 2GB when running from the Modeler.
  • Updated library Microsoft JDBC Driver sqljdbc4.jar from 3.0 to 4.0 because of support for Java 7/OpenJDK (datetime2 handling).


  • Ticket 11525: Disabled the simple parameter mapping for newly imported web service operations if they contain subtypes.
  • Ticket 11817: Fixed objects refreshed from microflow not being cached.
  • Ticket 11036: Buttons not working in Firefox 9.
  • Tickets 11094, 11928: Fixed use of datetime functions for users without a set timezone.
  • Ticket 11787: Support for continuations. Only close response outputstream if no continuation is present or the continuation is not suspended.
  • Ticket 11533: Fixed exception which occurs when a DATEPART function is executed in an anonymous session (Unknown time zone ‘Custom’).
  • Ticket 11871: Modeler did not clear conditional formatting if you deselected conditional formatting on an attribute.
  • Ticket 11465: Made all microflows/forms that have module roles assigned visible from the Module Security screen. Added warnings for microflows that have module roles assigned but are not used publicly.
  • Ticket 11737: Translatable texts in loops in microflows now show up in the batch translate/replace dialog.
  • Ticket 11849: Fixed showing all items in listening template grid while nothing was selected
  • Ticket 11751: Fixed query on associations to child entities.
  • Tickets 11837, 12104: Fixed applying conditional formatting for grid control bar buttons in tab content (with the conditional formatting referring to an enclosing dataview attribute)
  • Ticket 11585: Fixed database synchronization bug after changing the child entity of an association.
  • Ticket 11645: Fixed: Handle conditional formatting for nested widgets.
  • Ticket 11284: The ‘Find’ feature searches all microflow captions again, not just manually entered ones.
  • Ticket 11839: Fixed nested tabs not displaying correctly.
  • Tickets 11389, 11562: Fixed error in visualization of conflicts on modules.
  • Tickets 12037, 12120: Fixed JDK download links in Mendix installer.
  • Ticket 11532: Fixed incorrect result of the datepart functions for PostgreSQL when a datetime value is used as parameter.
  • Ticket 11140: Fixed conditional editable input mask.
  • Ticket 11403: Fixed ‘Cancel’ button behavior while editing custom settings.
  • Ticket 12269: Fixed constraint for referred date search fields.
  • Ticket 11974: Project was not properly refreshed after a module/folder rename resulting in incorrect error messages ‘Please re-select module roles’.
  • Ticket 12399: Fixed a microflow drawing bug that could occur while exporting a document or module.
  • Ticket 12154: Fixed problem where selecting a specific type of microflow from a microflow trigger would result in an error when starting the application.
  • Module roles names now follow the same rule as other names (no dots, no spaces, no keywords…)