Drupal Release: 8.0.0-rc1

TL;DR

Drupal 8.0.0-rc1 marks a significant milestone in the development of Drupal 8, bringing major improvements to security, performance, and developer experience. This release focuses on HTML sanitization and security hardening, introduces new theming capabilities with Twig templates and BEM standards, enhances multilingual support, and improves the migration framework. The release also includes significant API improvements and deprecations as the platform stabilizes toward the final release.

Highlight of the Release

• Introduction of MarkupInterface (formerly SafeStringInterface) and improved HTML sanitization for better security
• New Stable base theme added to core for better backwards compatibility in theming
• Enhanced multilingual support with improved translation handling and interface
• Improved migration framework for Drupal 7 to Drupal 8 upgrades
• Conversion of more theme functions to Twig templates for better theming
• Addition of libraries-override and libraries-extend capabilities for themes
• Improved responsive image handling with srcset/sizes attributes
• Better configuration entity dependency tracking and calculation
• Optimized caching with better cache tags and contexts
• Improved accessibility in forms and UI elements

Migration Guide

Deprecated Functions and APIs

• Removed Functions:

  • drupal_process_attached() has been removed (#2554771)
  • UrlGeneratorInterface::generateFromPath() has been removed (#2575869)
  • conf_path() has been removed from core (#2573443)

• Renamed Interfaces:

  • SafeStringInterface has been renamed to MarkupInterface (#2576533)
  • CacheablePluginInterface has been replaced with CacheableDependencyInterface (#2464427)

• Removed Parameters:

  • The $langcode parameter has been removed from the entity view/render system (#2073217)
  • The $langcode parameter has been removed from EntityAccessControllerInterface::access() and related methods (#2072945)

Configuration Changes

• Configuration Directory: The CMI import/export directory "staging" has been renamed to "sync" (#2487588)

Theme Changes

• New Base Theme: A new Stable base theme has been added to core and is now the default if a base theme is not specified (#2575421)
• PHPTemplate Removal: PHPTemplate has been removed; themes must now use Twig (#2574717)
• Theme Functions to Templates: Many theme functions have been converted to Twig templates:
  • theme_views_view_fields() (#2348747)
  • theme_views_view_field() (#2348729)
  • theme_system_modules_details() (#2151109)
  • theme_system_modules_uninstall() (#2151113)
  • theme_indentation() (#2578567)

Entity Reference Changes

• Module Deprecation: The entity_reference module has been deprecated and its functionality moved to core (#2429191)
• Bundle Machine Names: The ability to update entity bundle machine names has been removed (#2172843)

Other Important Changes

• Automatic Cron: Automatic cron has been moved to a dedicated module (#2507031)
• Vendor Directory: A single vendor directory is now used in the root (#2380389)
• Mobile Zoom: Mobile browsers are no longer prevented from zooming on form inputs (#2516918)
• Inline Form Errors: "Inline Form Errors" functionality has been moved to an optional module, restoring D7-style form errors by default (#2578561)

Upgrade Recommendations

This release (8.0.0-rc1) represents a significant step toward the final Drupal 8.0.0 release and includes important security improvements, bug fixes, and feature enhancements. As a release candidate, it's more stable than previous beta releases but may still contain some issues.

For developers working on Drupal 8 sites or modules:

• Upgrade to this release to test your code against the latest API changes
• Pay special attention to the security improvements around HTML sanitization and the new MarkupInterface
• Update any code that uses deprecated functions or APIs mentioned in the migration guide
• Test thoroughly with the new Stable base theme if you're developing custom themes

For site owners running Drupal 7:

• This release is not yet recommended for production sites migrating from Drupal 7
• However, you can use this release to begin testing your migration path as significant improvements have been made to the migration framework
• Create a development environment to test the migration of your content and configuration

For site owners running Drupal 8 beta releases:

• Upgrade to this release is recommended for development and testing environments
• Be aware that some configuration may need to be updated, particularly related to entity references and themes
• Test thoroughly after upgrading, especially if you're using custom themes or modules

Important note for all users:

• The configuration directory has changed from "staging" to "sync" - update any scripts or workflows that reference this directory
• Review the security improvements and ensure your custom code follows the new best practices for HTML sanitization
• If you're experiencing issues with forms or UI elements, check if they're related to the fixed bugs in this release

Bug Fixes

Security and HTML Handling

• Views Render Pipeline: Fixed issue where Views render pipeline was escaping CustomBooleanTest (#2560553)
• Views Module CSS: Fixed regression where Views module CSS was not being attached (#2529748)
• SafeMarkup Format: Improved SafeMarkup::format() to return a safe string object (#2559971)
• Filter Module: Fixed error in filter.module related to getElementsByTagName() (#2511306)

Multilingual and Translation

• Language Addition: Fixed validation errors when adding another language (#2351667)
• Entity References: Fixed issue where entity references of untranslatable fields were not displayed in the correct translation (#2543258)
• Entity Revisions: Fixed issue where reverting to an older entity revision with fewer translations led to fatal errors (#2579187)
• Node Revision UI: Fixed issue where Node revision UI was reverting multiple languages when only one should be reverted (#2465907)

Forms and UI

• CSRF Tokens: Fixed issue where GET forms had CSRF tokens by default (#2571995)
• Field Dependencies: Fixed issue where field delete form did not display configuration dependencies (#2575605)
• Role Deletion: Fixed issue where deleting a role didn't invalidate user_roles() static cache (#2572667)
• Form Required Attribute: Fixed issue where states.js was appending span.form-required to every label of a dependent field (#1239930)
• Vertical Tabs: Fixed regression where vertical tabs were not keyboard accessible (#2574917)

Entity and Field Handling

• Entity Changed Timestamp: Fixed issue where content entity changed timestamp was not updated on UI save (#2506213)
• Entity Reference Selection: Fixed issue where Entity Reference default selection plugin ignored matches if an entity type had no label key (#2281533)
• Field Settings: Fixed issue where some entity_reference fields got the wrong Selection handler (#2578249)
• Number Fields: Fixed PDOException due to incorrect validation of number fields (#1218814)

Views and Display

• Views Display: Fixed issue where Views was only able to add Attachment display (#2579615)
• Views Filter: Fixed issue where FieldList filter was using an undefined function (#2578433)
• Views Validation: Fixed issue where validation criteria of contextual filter stayed active after unchecking 'Specify validation criteria' (#2468851)

Other Fixes

• Block Migration: Fixed issue where blocks would not migrate properly when migrating to the same theme with different region names (#2569703)
• Comment Preview: Fixed issue where comment body didn't show up in preview for Anonymous users (#2574597)
• Toolbar Display: Fixed issue where admin toolbar had a div over the options when oriented vertically (#2570681)
• Editor Caption: Fixed issue where "Enter caption here" text was missing due to auto-created <br> (#2563505)

New Features

Theming Improvements

• New Stable Base Theme: Added a Stable base theme to core that provides backwards compatibility for themes (#2575421)
• Libraries Override/Extend: Added libraries-override (#2451411) and libraries-extend (#2497667) capabilities to themes' *.info.yml files
• Twig Date Filter: Added a Twig filter for date formatting (#2571561)
• Active Theme Path: Added an active_theme_path Twig function (#2416857)
• Menu Rendering in Templates: Menu class generation now happens in templates rather than functions (#2547159)

Responsive Images

• Srcset/Sizes Support: Added option to use srcset and/or sizes attributes on img tags instead of the picture element (#2348255)
• Original Image Selection: Added ability to select the original image when creating a responsive image style (#2534066)

Multilingual Improvements

• Translation Handling: Fixed issues with entity translations and improved language handling throughout the system
• Configuration Translation: Improved handling of configuration translations during module installation (#2580575)

Migration Framework

• Improved Migration Tools: Enhanced tools for migrating from Drupal 7 to Drupal 8
• Migration Paths: Added migration paths for Aggregator (#2500469), Image (#2500483), Shortcut (#2500513), and Tracker (#2500535) modules
• Rollback Functionality: Added rollback functionality to migrate (#2361093)

Security and Performance

• Automated Cron Module: Moved automatic cron to a dedicated module for better performance (#2507031)
• Cache Optimization: Improved caching with better cache tags and contexts (#2454649)
• Memory Management: Fixed memory leaks in image operations (#2531678)

Security Updates

HTML Sanitization and Security

• MarkupInterface: Renamed SafeStringInterface to MarkupInterface and moved related classes for better security (#2576533)
• HtmlEscapedText: Introduced HtmlEscapedText and removed SafeMarkup::setMultiple(), SafeMarkup::getAll(), and the static safeStrings list (#2575615)
• SafeMarkup Format: Improved SafeMarkup::format() to return a safe string object and removed reliance on a static, unpredictable safe list (#2559971)
• Theme Autoescape: Documented lack of auto-escape in theme functions and added a theme autoescape helper function (#2572929)
• Placeholder Removal: Removed !placeholder and unsafe string return from SafeMarkup::format() (#2571695)
• PlaceholderTrait Removal: Removed PlaceholderTrait for security reasons (#2577785)

Form Security

• CSRF Tokens: Fixed issue where GET forms had CSRF tokens by default (#2571995)
• CSRF Protection: Improved CSRF token handling by pushing tokens for forms to placeholders + #lazy_builder (#2463567)

HTML Filtering

• HTML Tag Filtering: Enhanced the "Limit allowed HTML tags" filter to also restrict HTML attributes, with only a small whitelist of attributes allowed by default (#2549077)
• Attribute Documentation: Documented that certain (non-"href") attribute values in t() and SafeMarkup::format() are not supported and may be insecure (#2570431)

Token Security

• Token Sanitization: Fixed hook_tokens() $sanitize option to be compatible with HTML sanitization requirements (#2567257)
• String Type Safety: Ensured TranslatableMarkup accepts string values only (#2570285)

Other Security Improvements

• Base URL Override: Provided a setting to override base URL when creating links to public files (#2522008)
• Base URL Removal: Removed the option to specify a base_url from within settings.php (#2528988)

Performance Improvements

Caching Improvements

• Cache Optimization: Implemented cache optimization and hardening by using assert() instead of exceptions in Cache::merge(Tags|Contexts) (#2454649)
• Cache Tags: Improved handling of cache tags in search results and other areas (#2464409)
• Response Caching: Enhanced determination of which responses should be cached using CacheableResponseInterface (#2476407)
• Cache Invalidation: Improved cache invalidation for entity displays when dependencies are removed (#2562107)

Entity and Field Handling

• Entity Storage: Made contexts immutable for better performance (#2508884)
• Entity Translation: Optimized handling of entity translations (#2073217, #2072945)
• Field Handling: Improved performance of entity reference fields (#2429191)

Memory Management

• Image Operations: Fixed memory leaks in 'create_new' and 'rotate' image operations (#2531678)

JavaScript and CSS

• Statistics Module: Fixed issue where statistics library was not loaded if node template didn't print it (#2458601)
• Breakpoint Detection: Removed the Drupal.checkWidthBreakpoint method from drupal.js in favor of window.matchMedia (#2118663)

Configuration Management

• Configuration Dependencies: Improved calculation of configuration entity dependencies on install (#2520526)
• Enforced Dependencies: Optimized handling of enforced configuration dependencies (#2520540)

Other Performance Improvements

• Automated Cron: Moved automatic cron to a dedicated module for better performance optimization (#2507031)
• APCu Class Loader: Improved APCu Class Loader to invalidate automatically when necessary (#2575495)
• AJAX State: Optimized handling of ajax_page_state for normal GET requests (#2497115)

Impact Summary

Drupal 8.0.0-rc1 represents a significant milestone in the Drupal 8 development cycle, bringing the platform closer to its final release. This release candidate focuses on security hardening, particularly around HTML sanitization with the introduction of MarkupInterface (formerly SafeStringInterface) and the removal of unsafe placeholders. These changes substantially improve Drupal's security posture but require developers to update their code accordingly.

The theming system has seen major improvements with the addition of a new Stable base theme that provides backwards compatibility, the conversion of more theme functions to Twig templates, and new capabilities like libraries-override and libraries-extend in theme info files. The removal of PHPTemplate means all themes must now use Twig.

Multilingual support continues to improve with fixes for entity translations and better handling of configuration translations. The migration framework has been enhanced with new migration paths for several modules and improved tools for Drupal 7 to Drupal 8 upgrades.

Performance optimizations include better caching with improved cache tags and contexts, optimized entity handling, and moving automatic cron to a dedicated module. Accessibility improvements have been made to forms, vertical tabs, and other UI elements.

For developers, several APIs have been deprecated or removed, including drupal_process_attached() and UrlGeneratorInterface::generateFromPath(). The configuration directory has been renamed from "staging" to "sync", which may affect existing workflows.

Overall, this release brings Drupal 8 much closer to a production-ready state with significant improvements in security, performance, and developer experience. Site builders and developers should begin testing their sites and modules against this release candidate to prepare for the final Drupal 8.0.0 release.