Drupal Release: 8.0.0-beta16

TL;DR

Drupal 8.0.0-beta16 brings significant improvements to security, performance, and developer experience. This release focuses heavily on fixing HTML escaping and placeholder handling in Drupal's templating system, with major changes to the SafeMarkup system that's now renamed to MarkupInterface. The update also includes important migration path improvements, accessibility enhancements, and numerous bug fixes. Developers should pay special attention to the changes in string handling and templating as many APIs have been updated to improve security and consistency.

Highlight of the Release

• Renamed SafeMarkup system to MarkupInterface for better HTML security
• Upgraded to Twig 1.22 with improved caching and templating features
• Improved migration paths for Drupal 7 modules including Blocks, Shortcut, Image, and Aggregator
• Enhanced accessibility for forms, vertical tabs, and UI elements
• Moved system CSS files to Classy theme for better theming architecture
• Added block context mapping in the UI for improved site building
• Fixed critical issues with required fields and text editors
• Improved HTML filtering with better attribute restrictions
• Enhanced responsive image support with srcset/sizes attributes
• Consolidated vendor directories for better dependency management

Migration Guide

for Drupal 8.0.0-beta16

SafeMarkup to MarkupInterface Changes

• Replace use Drupal\Component\Utility\SafeMarkup with use Drupal\Component\Render\MarkupInterface
• Replace SafeMarkup::checkPlain() with Html::escape()
• Replace SafeMarkup::format() with appropriate string formatting methods
• Review all string handling code to ensure proper escaping

String Placeholder Changes

• Replace !placeholder with @placeholder for regular text that needs escaping
• Replace !placeholder with :placeholder for URLs that need filtering
• Keep @placeholder for already escaped text
• Review all t() and format_string() calls to ensure proper placeholder usage

Theme Function Changes

• PHPTemplate has been removed; ensure your themes use Twig templates
• CSS files have moved from System module to Classy theme
• Menu class generation is now in templates, not in preprocessing functions
• Use the new Twig filter for date formatting: {{ date|format_date('medium') }}

API Changes

• drupal_process_attached() is deprecated; use the Renderer service instead
• conf_path() has been removed; use appropriate service methods instead
• Review code that uses hook_tokens() as the $sanitize parameter behavior has changed
• Entity bundle machine names can no longer be updated

Form and Field Changes

• GET forms no longer have CSRF tokens by default
• Required fields with text editors need special handling for AJAX rebuilds
• Review entity reference fields for proper translation handling

Upgrade Recommendations

Priority: High

This beta release contains significant changes to Drupal's string handling and security architecture. Developers should prioritize upgrading to this version to benefit from the improved security features and to ensure their code remains compatible with future releases.

Preparation Steps:

1. Audit custom code for usage of SafeMarkup, t(), format_string(), and other string handling functions
2. Review all templates for proper escaping and placeholder usage
3. Test thoroughly with special attention to forms with required fields and text editors
4. Update theme files if you're extending or overriding system templates

Potential Issues:

• Custom modules using SafeMarkup will need updates to use MarkupInterface
• Code using !placeholder in t() and format_string() will need updates
• Custom themes extending system templates may need adjustments due to CSS files moving to Classy

Benefits of Upgrading:

• Improved security with better HTML escaping and filtering
• Better performance with Twig 1.22 and improved caching
• Enhanced UI for block context mapping and configuration
• Fixed critical bugs with forms and entity references

This upgrade is strongly recommended for all Drupal 8 beta users to ensure compatibility with the upcoming release candidate and to benefit from the significant security and performance improvements.

Bug Fixes

Critical Bug Fixes

• Fixed issues with required text fields with Text Editor + AJAX form rebuilds causing unsubmittable forms
• Fixed fatal errors during or after adding default values for autocomplete widgets
• Fixed entity denormalization failing to retrieve bundle
• Fixed Views replacement token BC layer allowing for Twig template injection via arguments
• Fixed inline errors not showing for details elements
• Fixed Views fatal error when grouping on a field without a label set
• Fixed pager "first" and "previous" links having incorrect URLs
• Fixed entity references of untranslatable fields not displaying in the correct translation

UI and Form Fixes

• Fixed confirm password "Passwords match" text color
• Fixed long forum description breaking the layout in forum list
• Fixed user edit form status radio buttons being empty if user status was blocked
• Fixed comment field displayed last regardless of assigned weight
• Fixed login block not shown on user/register
• Fixed nested form tag in views forms
• Fixed password field errors on user create/edit/login when password is (literally) 0
• Fixed administrative toolbar edit button text not visible in Stark
• Fixed vertical tabs not being keyboard accessible

Theme and Display Fixes

• Fixed shortcut action link styling in Bartik
• Fixed Views module CSS not being attached
• Fixed dropbutton library only loading on cache rebuild
• Fixed toolbar's orientation-toggling arrows
• Fixed Views field rendering on multiple instances of one field

New Features

String Handling and Security

• Renamed SafeMarkup system to MarkupInterface for better HTML security
• Made t() return a TranslatableString object instead of relying on static safe lists
• Made format_plural() return a PluralTranslatableString object
• Added new :placeholder format for URLs in SafeMarkup::format() that handles bad protocols
• Added Twig filter for date formatting

UI and Theming

• Moved system CSS files to Classy theme for better theming architecture
• Added block context mapping in the UI
• Converted "title" page element into a block
• Reordered tabs in configuration UI for better usability
• Added option to use srcset and/or sizes attributes on img tag instead of picture element

Migration

• Added migration paths for Drupal 7 modules:
  • Blocks
  • Shortcut
  • Image
  • Aggregator
  • Tracker
• Added rollback functionality to migrate
• Improved tracking of simple configuration migrations

Performance

• Made contexts immutable for better performance
• Consolidated vendor directories for better dependency management
• Improved APCu Class Loader with automatic invalidation

Security Updates

Security Improvements

• Renamed SafeMarkup system to MarkupInterface for better HTML security architecture
• Fixed Views replacement token BC layer that allowed for Twig template injection via arguments
• Improved HTML filtering with ability to restrict HTML attributes, with only a small whitelist allowed by default
• Made t() return a TranslatableString object to remove reliance on a static, unpredictable safe list
• Made format_plural() return a PluralTranslatableString object for better security
• Added new :placeholder format for URLs in SafeMarkup::format() that handles bad protocols
• Limited all DB drivers to executing single statements by checking for delimiter
• Fixed hook_tokens() $sanitize option to be compatible with HTML sanitization requirements
• Improved documentation about attribute values in t() and SafeMarkup::format() that may be insecure
• Allowed sites using 'image_allow_insecure_derivatives' variable to have partial protection from security issues

Performance Improvements

Performance Enhancements

• Made contexts immutable for better performance and reliability
• Upgraded to Twig 1.22 with improved caching system
• Implemented custom Twig cache class for better performance
• Removed the ability to configure a block's cache max-age for more consistent caching
• Improved auto-placeholdering for #lazy_builder with bubbling of contexts and tags
• Consolidated vendor directories into a single location for better dependency management
• Improved APCu Class Loader with automatic invalidation when necessary
• Removed placeholdering of node links for better performance
• Limited all DB drivers to executing single statements by checking for delimiter, improving security and performance

Impact Summary

Drupal 8.0.0-beta16 represents a significant milestone in the Drupal 8 development cycle, focusing heavily on security, performance, and developer experience. The most impactful change is the complete overhaul of the SafeMarkup system, now renamed to MarkupInterface, which fundamentally improves how Drupal handles HTML escaping and string safety. This change affects nearly all code that generates HTML output.

The release also brings major improvements to the migration system, adding support for migrating from Drupal 7 modules like Blocks, Shortcut, Image, and Aggregator. This is crucial for sites planning to upgrade from Drupal 7 to Drupal 8.

Theming receives significant attention with system CSS files moving to the Classy theme, improving the theme inheritance system. The addition of a Twig filter for date formatting and better menu class generation in templates gives theme developers more control and flexibility.

Performance improvements include making contexts immutable, upgrading to Twig 1.22 with a custom cache implementation, and consolidating vendor directories. These changes result in better caching and more efficient code execution.

Several critical bugs have been fixed, particularly around forms with required fields and text editors, entity references, and Views functionality. The HTML filtering system has been enhanced to restrict attributes, improving security by default.

This beta release demonstrates Drupal 8's continued maturation toward a stable release, with significant attention to security, developer experience, and migration paths from Drupal 7.