Drupal Release: 8.0.0-beta10

TL;DR

Drupal 8.0.0-beta10 brings significant improvements to performance, security, and developer experience. This release focuses on optimizing cache handling, enhancing security with better XSS protection, improving accessibility, and refining the UI with consistent button styling. Key updates include better entity handling, improved responsive image support, and numerous bug fixes. The release also introduces new testing tools with BrowserTestBase and updates several third-party libraries including jQuery UI and Twig.

Highlight of the Release

• Introduction of BrowserTestBase for web-testing on top of Mink
• Significant performance improvements with optimized caching mechanisms
• Enhanced security with better XSS protection in data attributes
• Improved accessibility across the admin interface
• Consistent button styling throughout the admin UI
• Updated minimum requirements for MySQL (5.5.3) and SQLite (3.6.8)
• Better responsive image support with improved fallback options

Migration Guide

Minimum Requirements Changes

• MySQL: Minimum version requirement raised to 5.5.3
• SQLite: Minimum version requirement raised to 3.6.8

API Changes

Deprecated Functions and Methods

• drupal_get_schema() and drupal_get_complete_schema() have been deprecated
• element_info(), element_child() and element_children() have been removed
• element_info_property() has been deprecated
• drupal_get_destination() should be replaced with the redirect destination service
• \Drupal\Core\Template\TwigExtension::getUrlFromPath() has been marked as deprecated
• hook_library_alter() has been removed, use hook_library_info_alter() instead

CSS Class Changes

• Changed active class from active to is-active across the system
• Update your templates and CSS to use the new class name

Entity API Changes

• Entity/field access and node grants are now taken into account with core cache contexts
• EntityForm::validate() can now modify the form structure
• BlockBase::blockAccess() now returns AccessResult instead of a boolean

Caching Changes

• Internal page caching moved to a module
• Cache implementation decoupled from the renderer and exposed as renderCache service
• Added CacheableResponseInterface to consolidate ways of setting X-Drupal-Cache-Tags/Contexts headers

JavaScript Changes

• jQuery UI updated to 1.11.4
• Position selectors converted to be compatible with jQuery native-API selector

Required Updates for Custom Code

Theme Updates

• Update templates using active class to use is-active instead
• If you've overridden responsive image theme functions, update to use the new #type element

Module Updates

• Replace usage of deprecated element functions with their alternatives
• Update any code using drupal_get_destination() to use the redirect destination service
• If implementing BlockBase::blockAccess(), ensure it returns AccessResult instead of a boolean
• Update any code using hook_library_alter() to use hook_library_info_alter()

Testing Updates

• Consider migrating tests to use the new BrowserTestBase for web-testing

Upgrade Recommendations

This beta release contains significant improvements to performance, security, and developer experience, making it a worthwhile upgrade for development sites. However, as this is still a beta release, it is not recommended for production sites.

For Development Sites:

• Recommended: Upgrade to take advantage of the new testing tools, performance improvements, and security enhancements.
• Pay special attention to the API changes, particularly around caching, entity handling, and deprecated functions.
• Test thoroughly after upgrading, especially if your site uses custom modules or themes.

For Production Sites:

• Not Recommended: Wait for a stable release before upgrading production sites.
• Use this beta release only in a staging environment to identify potential issues with your custom code.

Before Upgrading:

1. Ensure your server meets the new minimum requirements (MySQL 5.5.3, SQLite 3.6.8)
2. Back up your database and files
3. Update any custom code that uses deprecated functions
4. Test thoroughly in a development environment before considering deployment

After Upgrading:

1. Clear caches
2. Run update.php
3. Test all critical functionality, especially custom modules and themes
4. Pay special attention to caching behavior and entity handling

Bug Fixes

Entity and Field Handling

• Fixed issue where entity query age only got current revision ID.
• Fixed bug where EntityStorageSchema::requiresEntityDataMigration() returned TRUE for cases where it should return FALSE.
• Fixed issue where taxonomy filter with depth was completely broken.
• Fixed bug where field storage write was attempted when field content did not change.

Caching Issues

• Fixed issue where changing #cache keys during #pre_render led to cache redirect corruption.
• Fixed bug where max-age on HTML responses was wrongly set to max-age=0, private instead of max-age=N, public.
• Fixed issue where Views result cache ignored query arguments.
• Fixed issue where 404/403 responses for non-existing nodes were cached in Page Cache/reverse proxy.

Security

• Fixed XSS vulnerability where Xss::filter() ignored malicious content in data-attributes and mangled image captions.

UI and Accessibility

• Fixed issue where focus effect on vertical tabs conflicted with tab affordance.
• Fixed double-escaping in dblog event operations.
• Fixed issue where the color module lock/unlock link was not accessible.
• Fixed issue where no scrollbar appeared in views style option popup.
• Fixed issue where no pager showed on taxonomy overview pages.

Other

• Fixed issue where canceling a user account and assigning content to Anonymous didn't clear the comment name.
• Fixed issue where session data was lost when set after a session regenerate.
• Fixed issue where Views preview wasn't working without saving new display.

New Features

Testing Framework Improvements

• BrowserTestBase: New testing framework built on top of Mink for web-testing, providing a more modern approach to functional testing.

Responsive Images

• Improved Fallback: Added fallback image style into the responsive image style entity for better handling when responsive images aren't supported.
• Theme Element: Converted responsive image theme functions to new #type element for better developer experience.

Authentication

• Decoupled Authentication: Session handling has been decoupled from cookie-based user authentication, allowing for more flexible authentication methods.

Caching

• Internal Page Caching: Moved to a module to avoid relying on config at runtime.
• FileCache for YAML: Added caching for YAML parsing to improve performance.
• Render Cache Service: Decoupled cache implementation from the renderer and exposed as a renderCache service.

UI Improvements

• Active Class: Changed active class to is-active for better consistency.
• Button Styling: Improved consistency of button styling across the admin interface.
• Seven Theme: Added RTL support and improved styling for fieldsets.

Security Updates

XSS Protection

• Fixed a critical security vulnerability where Xss::filter() ignored malicious content in data-attributes and mangled image captions, which could allow cross-site scripting attacks.

Authentication

• Improved session handling by decoupling it from cookie-based user authentication, making the authentication system more secure and flexible.
• Fixed an issue where CSRF token seed and possibly other session data was lost when set after a session regenerate.

Access Control

• Fixed issues with entity/field access and node grants not being properly taken into account with core cache contexts.
• Fixed a bug where Node module permissions were broken if hook_node_grants was implemented.

Error Handling

• Added support for PHP7 EngineExceptions in the error handler, improving security by properly handling PHP7 errors.

Cache Headers

• Fixed an issue where max-age on HTML responses was wrongly set to max-age=0, private instead of max-age=N, public, which could affect security by preventing proper caching.

Performance Improvements

Caching Optimizations

• YAML Parsing: Added FileCache for YAML parsing, significantly improving performance as YAML parsing was identified as a bottleneck.
• Route Handling: Optimized by unserializing preloaded routes on the fly.
• Field Storage: Improved performance by not attempting field storage write when field content did not change.
• Render Cache: Decoupled cache implementation from the renderer and exposed as a renderCache service for better performance.
• Attachments: Optimized merging of attachments in the rendering process.

Database Improvements

• MySQL: Added support for ONLY_FULL_GROUP_BY to improve query performance and correctness.
• Entity Handling: Optimized entity access and field storage operations.

JavaScript Optimizations

• Minification: Using minified jQuery once for better performance.
• Source Maps: Removed sourceMappingURL and sourceURL when JS files are aggregated to reduce unnecessary HTTP requests.
• Debounce: Added proper wait time in responsive tabs for better performance.

Other

• APC Classloader: Now used by default when available for improved class loading performance.
• Form Handling: Form caches are now deleted after submission to improve performance and reduce database size.

Impact Summary

Drupal 8.0.0-beta10 represents a significant step forward in the Drupal 8 development cycle, focusing on performance optimization, security enhancements, and developer experience improvements. The release introduces important architectural changes to caching mechanisms, entity handling, and authentication systems that lay the groundwork for a more robust and scalable CMS.

Performance improvements are a major highlight, with optimized YAML parsing, smarter field storage handling, and improved caching throughout the system. These changes should result in noticeably faster page loads and better resource utilization, especially on high-traffic sites.

Security has been strengthened with fixes for XSS vulnerabilities and improvements to authentication handling. The decoupling of session handling from cookie-based authentication provides a more flexible and secure foundation for various authentication methods.

For developers, the introduction of BrowserTestBase offers a modern approach to functional testing built on Mink, while numerous API improvements provide more consistent and intuitive interfaces. The updated minimum requirements for MySQL and SQLite ensure better compatibility with modern database features.

Site builders will appreciate the enhanced responsive image support, more consistent UI elements, and improved multilingual capabilities. The standardization of button styling and active states across the admin interface creates a more cohesive user experience.

While this is still a beta release with ongoing development, it demonstrates Drupal 8's commitment to performance, security, and developer experience as core principles of the platform.