Drupal Release: 9.5.6

TL;DR

Drupal 9.5.6 is a maintenance release that addresses numerous bug fixes, security improvements, and documentation updates. Key highlights include fixes for XSS vulnerabilities, improved Layout Builder functionality, better PHP 8.1 compatibility, and enhanced entity handling. This release focuses on stability and security rather than introducing new features, making it an important update for all Drupal 9.5.x sites.

Highlight of the Release

• Fixed XSS vulnerabilities in filter_xss and Xss::filter functions
• Improved Layout Builder filtering to prevent blank spaces
• Fixed PHP 8.1 compatibility issues
• Updated CKEditor 4 to 4.21.0 and CKEditor 5 to 36.0.1
• Fixed language switcher block exception when no route is matched
• Enhanced #states functionality to properly check/uncheck checkboxes

Migration Guide

No specific migration steps are required for this release as it contains primarily bug fixes and security updates. Standard update procedures apply:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core codebase to 9.5.6
4. Run the update script by navigating to /update.php in your browser
5. Take your site out of maintenance mode

If you're using CKEditor 4 or 5, note that these have been updated to newer versions (4.21.0 and 36.0.1 respectively), but these updates should not require any specific migration steps.

Upgrade Recommendations

This release contains important security fixes and bug fixes that improve the stability and security of Drupal 9.5.x sites.

Priority: High

All sites running Drupal 9.5.x should upgrade to this version as soon as possible, especially those concerned about:

• XSS vulnerabilities in text filtering
• Layout Builder functionality
• PHP 8.1 compatibility
• CKEditor security

The update is particularly important for sites that:

• Use Layout Builder
• Have upgraded to PHP 8.1
• Use CKEditor extensively
• Rely on the language switcher block

As this is a maintenance release with no major architectural changes, the update process should be straightforward for most sites.

Bug Fixes

Core Functionality

• Fixed issue where role permissions were not sorted when saving via admin/people/permissions
• Fixed language switcher block exception when no route is matched
• Corrected issue where a route with a default title of 0 did not work
• Fixed entity storage exception during module install missing !message parameter
• Fixed issue where 'node' variable in page.html.twig was not available on preview node page
• Resolved issue with StorageComparer not working when storages are not in default collection

Layout Builder & UI

• Fixed Layout Builder filter that was leaving blank spaces
• Corrected issue where after using select to change plugin or region, element loses focus and page scrolls to bottom
• Fixed early rendering issue in big_pipe_page_attachments() for controllers returning Response objects

Security & XSS

• Fixed XSS vulnerabilities where Xss::filter and filter_xss could create malformed attributes
• Fixed preg_split in _filter_url breaking for long HTML tags
• Corrected Link HTTP header that should not be HTML-encoded

PHP 8 Compatibility

• Fixed Views pagers doing math on disparate data types, resulting in type errors in PHP 8
• Addressed PHP 8.1 deprecated function warning in LayoutBuilderUiCacheContext.php
• Fixed UserInterface::getPassword() potentially returning NULL

Forms & States

• Fixed long-standing issue where #states could not check/uncheck checkboxes elements
• Corrected issue with validating managed files not accounting for null triggering elements

Views & Theming

• Fixed Views more link container theme suggestions being in the wrong order
• Corrected warning on AJAX call when changing the breakpoint_group field value of a responsive image style

Migration & Database

• Fixed issue where Drupal\migrate\Plugin\migrate\source\SourcePluginBase::rewind() was rewinding database statements
• Removed obsolete code from Drupal\sqlite\Driver\Database\sqlite\Statement

New Features

While Drupal 9.5.6 is primarily a bugfix and security release, it does include a few enhancements:

• Added TermForm::getParentIds() method to allow overriding in contributed modules
• Improved workspace handling to allow switching to any workspace in CLI requests
• Enhanced documentation for entity characteristics and API functionality

Security Updates

• Fixed XSS vulnerabilities in Xss::filter() and filter_xss() functions that could create malformed attributes when they should be stripped
• Updated CKEditor 4 to version 4.21.0, addressing security vulnerabilities in the editor
• Updated CKEditor 5 to version 36.0.1, incorporating security fixes
• Fixed issue with Link HTTP headers being HTML-encoded, which could potentially lead to security issues
• Improved validation of managed files to account for null triggering elements, preventing potential security issues

Performance Improvements

This release does not contain significant performance improvements as it primarily focuses on bug fixes and security enhancements. However, some of the fixes may indirectly improve performance:

• Fixed database statement handling in migration source plugins, which could lead to more efficient database operations
• Improved handling of Views pagers, potentially reducing computational overhead in certain scenarios
• Removed obsolete code from SQLite database driver, which may slightly improve efficiency for sites using SQLite

Impact Summary

Drupal 9.5.6 is a security and bugfix release that addresses multiple vulnerabilities and improves overall stability. The most significant impacts include:

1. Security Enhancements: Fixed XSS vulnerabilities in core filtering functions and updated CKEditor components to address security issues.

2. Layout Builder Improvements: Fixed filtering issues that caused blank spaces and improved the user experience when changing plugins or regions.

3. PHP 8.1 Compatibility: Addressed several PHP 8.1 deprecation notices and compatibility issues, making the platform more stable on newer PHP versions.

4. Entity Handling: Improved various aspects of entity handling, including term forms, workspace functionality, and entity storage.

5. Form States API: Fixed a long-standing issue with the #states API not properly handling checkboxes, which improves form functionality across the platform.

6. Documentation: Enhanced API documentation, particularly around entity characteristics, which will help developers build more robust modules.

This release represents an important maintenance update that focuses on stability and security rather than new features, making it a recommended upgrade for all Drupal 9.5.x sites.