Drupal Release: 8.0.0-beta15

TL;DR

Drupal 8.0.0-beta15 brings significant security improvements, particularly around HTML escaping and safe markup handling. The release focuses on removing SafeMarkup::set() and other deprecated methods, improving the migration system, enhancing JavaScript documentation, and fixing numerous bugs. Key security fixes include protection against SQL injection, cross-site scripting, and cross-site request forgery vulnerabilities. The update also introduces responsive image styles, reduces memory usage, and improves performance through container caching.

Highlight of the Release

• Major security improvements with removal of SafeMarkup::set() and fixes for SQL injection, XSS, and CSRF vulnerabilities
• Significant performance boost through container caching and reduced function calls in template rendering
• Enhanced migration system with improved support for Drupal 6/7 content, users, menus, and comments
• Reduced 'divitis' in field markup for cleaner HTML output
• New default responsive image styles for better mobile experience
• Improved theme system with support for specific preprocess functions for theme hook suggestions
• Conversion of page elements (local tasks, actions) into blocks for better flexibility

Migration Guide

Removing SafeMarkup::set() and SafeMarkup::checkPlain()

If your code uses SafeMarkup::set(), you should replace it with one of these alternatives:

• For simple text that needs escaping: Use #plain_text in render arrays
• For HTML that is already safe: Use new FormattableMarkup() or new HtmlEscapedText()
• For translatable strings: Use t() which already marks strings as safe

Replace SafeMarkup::checkPlain() with Html::escape() which provides the same functionality.

Deprecated Functions and Methods

The following functions and methods are now deprecated:

• check_url(): Use UrlHelper::filterBadProtocol() instead
• drupal_placeholder(): Use #placeholder render array property instead
• EntityListBuilder::getLabel(): Use EntityListBuilder::getEntityLabel() instead
• getUrlFromPath() in TwigExtension: This method has been removed

Theme System Changes

• Page elements (local tasks, actions) have been converted to blocks. If your theme relied on these elements being rendered in specific places, you'll need to update your theme to accommodate the new block-based approach.

• Field markup has been simplified to reduce "divitis". Review your CSS selectors if they targeted specific field wrapper divs that may no longer exist.

• Specific preprocess functions for theme hook suggestions are now supported. For example, you can now use template_preprocess_node__article() without needing to implement template_preprocess_node() first.

Migration System Updates

If you're working with migrations:

• Load plugins have been removed. Update your migration configurations accordingly.
• The Migration process plugin no longer skips rows. Review your migration process if it relied on this behavior.
• Entity:file destination schema has been removed from Migrate Drupal.

Upgrade Recommendations

Recommendation

This beta release contains critical security fixes and important performance improvements. All sites running Drupal 8 beta versions should upgrade to beta15 as soon as possible.

Before Upgrading

1. Back up your database and files: Always create a complete backup before upgrading.

2. Review custom code: If you have custom modules or themes, review them for:

   • Usage of SafeMarkup::set() and SafeMarkup::checkPlain()
   • Any code that might be affected by the security fixes
   • Theme code that might be affected by the field markup changes

3. Test in a development environment: Given the extensive changes in this release, testing in a non-production environment is strongly recommended.

Upgrade Process

1. Put your site in maintenance mode
2. Replace your codebase with the new version
3. Run update.php to apply database updates
4. Clear all caches
5. Test your site thoroughly before taking it out of maintenance mode

Special Considerations

• Migration modules: The migration modules are now marked as Experimental. Be aware that APIs may change in future releases.

• Theme developers: Check your themes for compatibility with the reduced "divitis" in field markup and the conversion of page elements to blocks.

• Form handling: If you have custom forms, verify they work correctly with the enhanced security measures for form handling.

Bug Fixes

Core Functionality

• Fixed string field type to properly consider empty string as empty value
• Fixed menu links losing parent, expanded, and enabled status on cache clear
• Fixed zero values not showing in views table style
• Fixed batch processing for large content operations
• Fixed issue with disabled text formats still filtering and displaying content
• Fixed fatal error when editing content after disabling format with editor
• Fixed issue with date formats allowing identical date format strings
• Fixed forum index response missing vocabulary cache tag
• Fixed tracker responses missing cache tag and context

Editor & CKEditor

• Fixed CKEditor loading non-existent CSS files
• Fixed unidirectional editor configuration to filter settings syncing
• Fixed quick editing of body fields in Standard profile

Views & Display

• Fixed Views block displaying when no results returned
• Fixed REST views unchecking "Display all values in the same row" option
• Fixed URL filter not correctly recognizing URLs with uppercase query arguments
• Fixed aggregator feed overview misleading text

Migration

• Fixed d7_filter_format migration mishandling format IDs
• Fixed d7_user migration handling of user roles and empty pictures
• Fixed d7_menu_link migration to provide default description
• Fixed d7_field_formatter_settings migration handling of empty settings

Database & Schema

• Fixed SQLite database driver failing to drop simpletest tables
• Fixed composite indexes not being correctly deleted/recreated when updating field storage
• Fixed PostgreSQL schema implementation issues

New Features

Security Improvements

• Added #plain_text to escape text in render arrays, replacing SafeMarkup::checkPlain()
• Improved protection against SQL injection, XSS, and CSRF vulnerabilities
• Enhanced form API security with better validation of form values

Migration System Enhancements

• Added migration paths for Drupal 7 users, content, comments, and menus
• Improved handling of large volume entity migrations to prevent memory issues
• Added ability to track current state of migrations
• Enhanced migration message retrieval API

Theme System Improvements

• Added support for specific preprocess functions for theme hook suggestions
• Converted page elements (local tasks, actions) into blocks
• Created default responsive image styles
• Reduced 'divitis' in field markup for cleaner HTML output

Performance Optimizations

• Replaced Symfony container with a Drupal one stored in cache for better performance
• Saved 5 function calls for every rendered template
• Improved PostgreSQL Upsert query implementation
• Resolved infinite stampede in mtime protected PHP storage

Security Updates

SQL Injection Protection

• Fixed SQL injection vulnerability in the Database API (ported from SA-CORE-2015-003)
• Added tests to verify protection against SQL injection

Cross-Site Scripting (XSS) Protection

• Improved HTML escaping throughout the system by:

  • Removing SafeMarkup::set() and replacing with proper escaping methods
  • Adding #plain_text render array property for safe text output
  • Deprecating SafeMarkup::checkPlain() in favor of Html::escape()
  • Improving Html::escape() with ENT_SUBSTITUTE flag
  • Making SafeStringInterface extend \JsonSerializable for safer JSON output

• Fixed XSS vulnerabilities in the Ajax system (ported from SA-CORE-2015-003)

Cross-Site Request Forgery (CSRF) Protection

• Improved Form API security to prevent CSRF attacks (ported from SA-CORE-2015-003)
• Ensured form tokens are marked with max-age=0 to prevent token reuse

Information Disclosure Prevention

• Fixed information disclosure vulnerability in menu links due to insufficient access checking
• Fixed content translation module information disclosure by improving access checking

Input Validation

• Fixed issue where posting an array as a value of a form element was allowed even when a string was expected
• Improved validation to prevent bypassing #maxlength constraints

Performance Improvements

Container Caching

The most significant performance improvement in this release is replacing the Symfony container with a Drupal-specific one that can be stored in cache. This change dramatically reduces bootstrap time by avoiding the need to rebuild the service container on every request.

Template Rendering

A simple but effective optimization saves 5 function calls for every rendered template, which adds up to significant performance gains on complex pages with many template includes.

Database Improvements

• Improved the Upsert query implementation for PostgreSQL, making database operations more efficient
• Fixed database exception handling, improving reliability and performance of database operations

Memory Usage Optimization

• Large volume entity migrations now use less memory, preventing out-of-memory errors during large content migrations
• Improved MigrateFullDrupalTestBase test discovery to prevent memory exhaustion

Caching Improvements

• Fixed forum index response to include vocabulary cache tag
• Ensured tracker responses include necessary cache tags and contexts
• Improved comment cache tag usage for better cache invalidation
• Resolved infinite stampede in mtime protected PHP storage

Impact Summary

Drupal 8.0.0-beta15 represents a significant step forward in security, performance, and developer experience. The removal of SafeMarkup::set() and other unsafe markup handling methods greatly improves protection against XSS vulnerabilities. The security fixes ported from SA-CORE-2015-003 address critical SQL injection, XSS, and CSRF vulnerabilities.

Performance sees substantial improvements through container caching and template rendering optimizations. These changes reduce bootstrap time and memory usage, making the system more efficient overall.

For developers, the migration system has been enhanced with better support for Drupal 6/7 content, users, menus, and comments. The theme system now supports specific preprocess functions for theme hook suggestions and provides cleaner HTML output with reduced "divitis" in field markup.

Site builders will appreciate the new default responsive image styles and the conversion of page elements to blocks, which provides greater flexibility in page layout. Content editors benefit from fixed CKEditor issues and improved handling of empty strings in fields.

This release demonstrates Drupal 8's continued progress toward a stable release with its focus on security, performance, and developer experience improvements.