Last update: Download PDF Edit



  • Tickets 14588, 14563: Fixed an issue with passing the selected item in a data grid that triggers the default button using a single click.
  • Ticket 14726: Fixed an issue that prevented mobile applications from working on Windows Phone.
  • Ticket 14840: Fixed an issue that prevented some applications to work with IE10 on Windows 8.
  • Ticket 14578: Prevent deadlocks in the request dispatcher by using an improved work division algorithm.
  • The Mendix Runtime now marks the session cookie as HTTP-only. As a result, the browser makes sure that client-side JavaScript code can not access the session cookie. This is an additional line of defence: even if your app is vulnerable to XSS attacks, the session cookie cannot be read.
  • The Mendix Runtime now examines the HTTP request that it receives and looks for the ‘X-Forwarded-Scheme’ HTTP header. If that header has the value ‘https’, the cookie that is sent back is marked as secure. As a result, the browser only sends the cookie over secure HTTPS connections, thus preventing a man-in-the-middle attack to obtain the session ID.
    • In most deployment scenarios, the Mendix Runtime is located behind a separate web server. This web server takes care of encrypting the connection to end-users using HTTPS. You should configure this web server so that it adds the ‘X-Forwarded-Scheme’ HTTP header with value ‘https’ to the request in order to have the Mendix Runtime add the ‘Secure’ flag to the cookies it sends back. If your application is running in the Mendix Cloud you do not have to configure anything, if you upgrade to this Mendix version and re-deploy everything is configured automatically.
  • The Mendix runtime no longer mentions the member name in a “no access” error message, but gives a generic error message instead, to prevent attackers from learning too much about the domain model of your application.
  • When using the Export to Excel/CSV functionality the Mendix Runtime now creates a private file document instance that is only readable by the owner of the document. Excel/CSV files are deleted after downloading, but this mechanism is not infallible so it is not unthinkable that certain exported documents remain on the server, which could in theory be accessed by all users. We recommend to check your server and remove exports that are not properly removed yet.
  • We made the access rules for the System.FileDocument and System.Image entities configurable in the Project Security dialog. In previous versions when using System.FileDocument or System.Image directly (as opposed to using a specialization, which is recommended!), all users of the system (including anonymous users, if enabled) could see those files. From now on for new projects those entities have no access rules defined. Existing projects have full access defined for all users because of backward compatibility, but a warning is generated in the Modeler that urges you to fix this.
    • After converting your existing project, you should remove the access rules for entities System.FileDocument and System.Image in the Project Security dialog. To be able to do this, you should not create instances of System.FileDocument or System.Image directly. Instead, use a specialization of System.FileDocument or System.Image that suits your specific use case and configure security for that entity.



  • Tickets 14336, 14363: Fixed triggering of on change microflow for conditionally formatted rows.
  • Tickets 13647, 13245: Fixed dependent retrieve queries for which a retrieval schema is defined.
  • Fixed rendering of section content when section is placed in a conditional formatted row.
  • Fixed height of textarea when textarea is placed in a collapsed section or shown by conditional formatting.
  • Fixed opening a form multiple times when an open form button is clicked multiple times.
  • Fixed showing mobile footer while footer type is set to ‘none’.
  • Added a workaround for a bug in iOS 6 to prevent it from caching POST requests.


Important changes

  • To be compatible with Phonegap, the index file for mobile has been changed. For custom index files for mobile, a script defining the location of Dojo should be added, right before the inclusion of mobile.js. See the default index-mobile.html for details.


  • Tickets 13333, 12503, 11398: Added option in project settings to select the timezone scheduled events should run in (default is UTC).
  • Ticket 13360: Do not overwrite dojo when dojo is already defined. This is useful for debugging custom widgets.
  • Ticket 13486: Added the ‘constrained by’ feature to mobile reference selectors.
  • Ticket 13696: Added option to configure a password policy. The policy can specify whether digits, different cases and symbols are required and what the minimum length for passwords is.
  • Ticket 13809: Allow conditional visibility in mobile list views.
  • Ticket 13811: Holding the ‘shift’ key while placing a widget now allows you to quickly placing another widget of that type.
  • Ticket 13901: Suggested variable names in create actions are prefixed with ‘New’ again.
  • Ticket 13903: Improved error message for incorrect paths in the ‘constrained by’ property.
  • Ticket 14005: Added log message when the Mendix runtime reconnects to the database after a failed connection.
  • Ticket 13592, 13483: Added possibility to allow ‘empty’ as parameter value in reports, when no value is selected.
  • Ticket 13166: Optimized retrieving data of aggregate rows in grids.


  • Ticket 14135: Fixed exception related to delete behavior.
  • Ticket 13529: Fixed exception when attemping to synchronize a 2.x database with a project created in 3.x or higher.
  • Ticket 13984, 13690: Fixed processing of the return value of ‘before’ event handlers.
  • Ticket 13982: Do not apply security for retrieval of cascading delete objects.
  • Ticket 13965: Improved behavior when wrapping an app with PhoneGap.
  • Tickets 14078, 14123: Fixed XML export for child elements with attributes.
  • Ticket 13454: Fixed OQL count aggregate expression on non-numeric fields.
  • Ticket 13994: Allow editing of event handlers of the reference set selector through the property grid and form.
  • Ticket 13971: Fixed exception that could occur when retrieving a list of objects by ID.
  • Ticket 14025: Do not take security in account when checking whether an auto-committed object exists in the database during commit process.
  • Tickets 13626, 12982, 11539: Fixed rendering of UTF-8 characters and spaces in download file names.
  • Ticket 14008: Export to CSV button now has no constraint on the maximum number of rows.
  • Ticket 14012: Fixed running apps locally with cloud security enabled using JDK 1.7.
  • Ticket 13726: Properly handle the case that a versioned directory is restored on disk after being marked as deleted. A svn-deleted file/directory is svn-added if it exists on disk again.
  • Ticket 13860: Use mouse down/mouse up events instead of click for handling of button presses.
  • Ticket 13195: Fixed an issue that occurred when copying rows or columns that contain merged cells.
  • Ticket 13639: Fix drop down buttons placed inside data views.
  • Ticket 13764: Fixed rarely occurring exception in case of many concurrent requests.
  • Ticket 14108: Fixed opening a form after switching from anonymous to a named user.
  • Ticket 14122: Fixed query rendering while querying on an entity with a super entity without regular attributes but with owner/changedby attributes.
  • Ticket 13797: Restored API method to avoid compilation errors in the App Store database replication module.
  • Ticket 13340: Improved checks on validation rules for DateTime attributes.
  • Ticket 14133: Show date picker for custom date format.
  • Ticket 13273: Fixed enum sorting in search dropdowns for reports.
  • Ticket 13686: Fixed refreshing value of number input while having the focus.
  • Ticket 13954: Update changedDate when uploading a new file to an existing FileDocument object.
  • Ticket 13190: Do not remove thousands separators when focusing inactive textbox with currency.