The Finalsite Blog

Best practices, success stories and software updates from the desk of school experts you trust.

Software Update, 7/20
Justin Ober

Hi, everyone!

We've got a lot to talk about in this week's software update. Composer has a number of tweaks, bug fixes and some feature updates.

Forms Manager is getting some attention this week as well, with two updates. First, we heard reports of a bug that was causing form submissions to fail silently when a field entry did not validate (for example, if somebody attempted to enter an email address without an '@' symbol). Going forward, if a form field doesn't pass the validation test, the user will see which field is causing a problem so that they can fix their submission.

And speaking of that pesky '@' symbol, it crops up again in the next item. Normally we strip special characters out of form submissions before they're saved as a security precaution. This causes an error with email addresses, however, because they require a special character - '@'. As a result of Finalsite's encoding the '@' symbol, email addresses that had been submitted to forms were unusable. To fix this, we have ceased encoding the '@' symbol on form results. All of the other special characters will still be encoded.

We have enhanced the way we store user passwords in Finalsite. User passwords are hashed using a one-way algorithm, and cannot be retrieved once saved. As a result, passwords cannot be sent directly to users via eNotify. Instead, any time a user needs to retrieve their password, such as when they click the "Forgot password?" link, or when a password is included in an eNotify message, they will receive an email with a secure password-reset link that's valid for 24 hours. (This applies only to passwords authenticated against Finalsite's database; schools that use an integrated SIS or LDAP system to store user passwords will continue to use their current password systems.)

Also, this weekend we will begin serving admin sessions securely over HTTPS. In the fall we will begin serving all site pages over HTTPS, and we urge site admins to check their sites now for any content that may trigger a mixed-content warning once that's happened. Check out our Knowledge Base article Preparing for the HTTPS Conversion for more details.


  • We have enhanced the methods used to encrypt passwords when they're saved.
  • Clicking the "Forgot Password?" link will now generate a secure password-reset link that will be emailed to the user, rather than emailing the user their password.
  • Fixed a bug that was preventing elements set to show just a video or an image from being shared under certain circumstances.
  • We've tweaked the element settings and other modal windows to pin them up near the top of the browser page.
  • We've made some additional underwater code tweaks for ADA compliance purposes.
  • The image editor now edits and saves files entirely over HTTPS.

Calendar Manager

  • "All Day" events will no longer have any hour data associated with them; this will make sure that "All Day" events scheduled for Daylight Savings time switchover days are scheduled correctly.


  • The "Password" special link in the eNotify editor will now include a link allowing a user to reset their password, rather than including the user's password in the email.

Forms Manager

  • Fields that have an associated validation scheme will now identify themselves when the user's entry doesn't meet the field's requirements.
  • '@' symbols will no longer be encoded in form results. (This fixes an issue that was making it difficult to extract and use email addresses that had been saved in Forms Results.)


  • When a post contains only a thumbnail and no body content, the thumbnail will no longer link to a pop-up of itself.