Drupal Release: 8.0.0-beta12

TL;DR

Drupal 8.0.0-beta12 brings significant performance improvements, enhanced security measures, and better developer experience. Key highlights include improved caching mechanisms, UTF-8 support in MySQL, inline form errors for better accessibility, and numerous bug fixes. This release focuses on optimizing core functionality while addressing security vulnerabilities and improving the overall user experience.

Highlight of the Release

• MySQL driver now supports full UTF-8, including emojis and special characters
• Inline form errors for improved accessibility and user experience
• Significant performance improvements through enhanced caching mechanisms
• Better Views integration with render caching
• Improved security with vendor directory protection and XSS prevention
• Updated Symfony components to version 2.7.0
• New placeholder system (#lazy_builder) replacing #post_render_cache
• Enhanced entity form validation

Migration Guide

Deprecated Functions and Methods

Several functions and methods have been deprecated in this release:

• entity_create() is deprecated in favor of <EntityType>::create($values) or \Drupal::entityManager()->getStorage($entity_type)->create($values)
• conf_path() is deprecated
• drupal_get_schema()/drupal_get_complete_schema() have been removed
• drupal_html_id() is considered harmful and has been replaced
• All taxonomy_* functions are deprecated
• Methods on BubbleableMetadata class marked as deprecated should no longer be used

Service Changes

If you've extended or relied on these services, you'll need to update your code:

• The router.builder service has been removed from Drupal\Core\Menu\LocalTaskManager
• Service dependencies have been updated in various classes
• Cache plugin base classes no longer need Renderer/RenderCache services injected

Form API Changes

• Forms using #ajax now bypass form caching by default
• The #post_render_cache system has been replaced with #lazy_builder placeholders

Database Changes

• MySQL now uses utf8mb4 for full UTF-8 support. You may need to update your database configuration if you're using custom queries that depend on character encoding.

Theme Changes

• Several CSS files have been moved to the Classy theme
• Many CSS classes have been prefixed with 'js-' to separate behavior from styling
• Unnecessary markup has been removed from core templates

Configuration Entity Changes

• Collections other than the default can no longer support configuration entities
• Config import validation now takes into account install profiles

Upgrade Recommendations

This beta release contains significant improvements to performance, security, and developer experience. While it's still a beta version, the changes are substantial enough to warrant upgrading development and testing environments.

For development sites: Upgrade is recommended to take advantage of the performance improvements and to ensure your custom code works with the new caching mechanisms and security enhancements.

For production sites: As this is still a beta release, caution is advised for production environments. If you're already running a beta version of Drupal 8, upgrading to beta12 is recommended for the security improvements, but be sure to thoroughly test your site first.

Custom code considerations:

• Review any custom code that uses deprecated functions or services
• Test thoroughly with the new caching system
• Update any MySQL queries that might be affected by the UTF-8 changes
• Check for any XSS vulnerabilities in your custom code using the new security guidelines

Before upgrading, make a complete backup of your site and database, and test the upgrade process on a staging environment first.

Bug Fixes

Menu Link Fixes

Fixed a regression where editing a node with a disabled menu link would re-enable that menu link unexpectedly.

Form Handling Improvements

• Fixed an issue where changing from a text format with an editor to one without would ignore user-entered changes
• Fixed AJAX dialog triggering click before mouseup
• Fixed tabledrag adding tabledrag-handle twice for nested tables

Entity Form Validation

Fixed a critical issue where entity forms were skipping validation of fields not in the EntityFormDisplay, ensuring all fields are properly validated.

Path Alias Issues

Fixed a bug where the Path alias UI would allow both "node/1" and "/node/1" as system paths, which would later cause fatal errors.

Translation Issues

• Fixed a bug where node revisions could not be reverted per translation
• Fixed issues with translatable entity 'created' and 'uid' fields not being initialized properly during content translation

Cache-Related Fixes

• Fixed an issue where the history module triggered a post request for anonymous users on all node pages
• Fixed tracker responses not setting cache tags & contexts
• Fixed forum responses not setting cache tags

Security Fixes

• Fixed an issue where the vendor directory was web accessible
• Fixed a vulnerability where confirm form cancel buttons could lead to external domains
• Fixed potential XSS on field edit forms via the label field in CKEditor

New Features

MySQL Full UTF-8 Support

The MySQL driver now supports full UTF-8, allowing for storage and display of emojis, Asian symbols, mathematical symbols, and other special characters. This addresses a long-standing limitation in Drupal's MySQL integration.

Inline Form Errors

A major accessibility improvement adds inline form errors, making form validation feedback more accessible and user-friendly. Error messages now appear directly next to the relevant form elements rather than only at the top of the form.

Enhanced Date Formatting

Added DateFormatter::formatDiff() as a non-buggy alternative to DateFormatter::formatInterval() when the start and end of the interval are known, providing more accurate date difference calculations.

Active Theme Twig Function

Added an active_theme Twig function to make it easier for theme developers to check the current active theme in templates.

Symfony Console Component

Added the Symfony Console component to core, enabling better command-line tooling capabilities.

Query Parameter Content Negotiation

Implemented query parameter-based content negotiation as an alternative to extensions, providing more flexibility in how content is delivered based on request parameters.

Security Updates

XSS Prevention

• Enhanced XSS protection in the Renderer by ensuring #markup is properly escaped
• Fixed potential XSS vulnerability on field edit forms via the label field in CKEditor
• Improved handling of SafeMarkup in various components
• Removed unsafe usage of SafeMarkup::set() in multiple places

Access Control

• Fixed an issue where the vendor directory was web accessible by improving .htaccess rules
• Added protection against PHP file access that could bypass existing security measures
• Fixed a vulnerability where confirm form cancel buttons could lead to external domains

User Management

• Improved password strength validation by not including leading and trailing spaces
• Fixed AccountPermissionsCacheContext/PermissionsHashGenerator to properly handle user 1 (admin)
• Added "Translate user edited configuration" permission to the restricted permissions list

Twig Security

• Fixed a vulnerability that could allow arbitrary code execution via 'trans' extension for dynamic Twig templates when debug output is enabled

Form Security

• Enhanced form token validation
• Improved CSRF protection in various forms
• Better validation in module uninstall forms

Performance Improvements

Caching Enhancements

• Optimized CacheableMetadata::merge() and BubbleableMetadata::merge() for better performance
• Implemented caching for incoming path processing and route matching
• Added caching for CSS/JS asset resolving
• Enabled tags cache plugin by default for Views
• Made Views use render caching and removed Views' own "output caching"

Entity Management Optimization

• Significantly improved performance for configuration entity deletion operations
• Optimized entity view controller title rendering which was previously expensive
• Improved Views' handling of entity data

Reduced Function Calls

• Optimized toolbar pre-rendering which was responsible for ~15ms/17000 function calls on every page
• Reduced unnecessary processing in Views by limiting plugin definition types
• Removed unnecessary rendering of main help pages on the modules page

AJAX Improvements

• Bypassed form caching by default for forms using #ajax
• Removed ajax_html_ids to use GET (not POST) AJAX requests
• Rewrote file widget AJAX controller to not rely on form cache

Database Optimizations

• Improved database schema handling
• Enhanced MySQL driver with better UTF-8 support
• Optimized watchdog table entries

Impact Summary

Drupal 8.0.0-beta12 represents a significant step forward in Drupal 8's development with a strong focus on performance, security, and developer experience. The release includes over 6,000 changes that touch nearly every part of the system.

Performance improvements are a major highlight, with substantial enhancements to the caching system that will make Drupal sites faster and more scalable. The introduction of cache contexts, tags, and improved render caching in Views will have a noticeable impact on site speed.

Security has been strengthened through better XSS protection, improved handling of user permissions, and fixes for several potential vulnerabilities. The vendor directory is now better protected, and there's enhanced validation for form submissions.

For developers, the update to Symfony 2.7.0 components, improved JavaScript documentation, and the new placeholder system provide better tools and a more consistent development experience. The MySQL driver's full UTF-8 support removes a long-standing limitation.

End users will benefit from better accessibility through inline form errors, improved UI in the Bartik theme, and various UX enhancements throughout the system.

This beta release demonstrates Drupal 8's continued maturation, with a focus on polishing existing features rather than adding new ones. The emphasis on performance, security, and developer experience indicates that the project is moving closer to a stable release.