Form Elements - Form labels and values now do not allow script execution to prevent possible cross-site scripting (XSS) vulnerabilities. Apps that depend on scripting will need to place such scripts into Custom HTML elements.
Readonly Form Elements - Previously, form read-only field values are not editable in the browser, but get stored in the database upon form submission. In v4, read-only field values are no longer stored to prevent unintended modifications using client-side browser tools such as Browser Console, Firebug, etc.
JSON API Request Methods – Previously, JSON API calls that modify the state of a process (e.g. start a process, complete an assignment, etc) support both HTTP GET and POST. In v4, only POST requests are supported to prevent cross-site request forgery (CSRF) attacks. Read-only API calls are unchanged. Please refer to the latest JSON API reference in the Knowledge Base at{+}http://dev.joget.org/community/display/KB/JSON+API+Image Removed
JSON API Responses – In v4, all JSON API calls respond with JSON responses only. Previously, failed authentication will redirect the request to a login page, but a failed authentication now would result in a JSON 401 response e.g.
JSON API Authentication – The JSON API now supports basic authentication, so this would be the recommended authentication mechanism when combined with HTTPS.
JavaScript API Authentication - Previously, in the JavaScript API AssignmentManager.login(url, username, password, callback), the password can be either the plaintext password or user hash. In v4, user hash is only accepted in a separate call AssignmentManager.loginWithHash(url, username, hash, callback)