Drupal 8.4.0, 2017-10-04 ------------------------ ### Drush users: Update to Drush 8.1.12+ or higher [Versions of Drush earlier than 8.1.12 will not work with Drupal 8.4.x](https://www.drupal.org/node/2874827). Update Drush to 8.1.12 or higher **before using it to update to Drupal core 8.4.x** or you will encounter fatal errors that prevent updates from running. * If Drush is installed globally (i.e., generally available on the web host), Drush 8.1.12 and higher will successfully update Drupal 8.3.x to 8.4.0, but users may still see [other error messages after updates have run](https://github.com/drush-ops/drush/issues/2933).) * If the site is built with Composer and includes Drush as a local dependency (less common), you should update your `composer.json` file to require at least [Drush 8.1.15](https://github.com/drush-ops/drush/releases/tag/8.1.15). Drush 8.1.14 will not work in the same composer project as Drupal 8.4. ### Updated browser requirements: Internet Explorer 9 and 10 no longer supported In April 2017, Microsoft discontinued all support for Internet Explorer 9 and 10. Therefore, [Drupal 8.4 has as well](https://www.drupal.org/node/2842298). Drupal 8.4 still mostly works in these browser versions, but bugs that affect them only will no longer be fixed, and existing workarounds for them will be removed beginning in Drupal 8.5. Additionally, Drupal 8's [browser requirements documentation page](https://www.drupal.org/docs/8/system-requirements/browser-requirements) currently lists incorrect information regarding very outdated browser versions such as Safari 5 and Firefox 5. [Clarifications to the browser policy and documentation](https://www.drupal.org/node/2390621) are underway. ### Known Issues Drupal 8.4.0 includes major version updates for two dependencies: Symfony 3.2 and jQuery 3. Both updates may introduce backwards compatibility issues for some sites or modules, so test carefully. For more information, see the "Third-party library updates" section below. Known issues related to the Symfony update include: * Drush issues: * [Incompatibility with Drush 8.1.11 and earlier](https://www.drupal.org/node/2874827). * [Other error messages with Drush 8.1.12 and higher](https://github.com/drush-ops/drush/issues/2933). * [Incompatibility with Drush 8.1.14 and earlier for Composer-built sites](https://github.com/drupal-composer/drupal-project/issues/305). * [Certain file uploads may fail silently](https://www.drupal.org/node/2906030) due to a Symfony 3 backwards compatibility break if they used the `$deep` parameter (which was already deprecated in Symfony 2.8 and is removed in Symfony 3.0. *Check any custom file upload code* that may have used the deprecated parameter and [update it according to the API change record](https://www.drupal.org/node/2743809). See the ['8.4.0 update' tag for a list of known issues across projects](https://www.drupal.org/project/issues/search?issue_tags=8.4.0%20update). [Search the issue queue for known issues](https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&status%5B%5D=Open&version%5B%5D=8.x&issue_tags_op=%3D). ### Important fixes since 8.3.x Translators should take note of several [string additions and changes since the last release](https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&issue_tags_op=%3D&issue_tags=String+change+in+8.4.0). #### File usage tracking Drupal 8 has several longstanding [file usage tracking bugs](https://www.drupal.org/node/2821423). To prevent further data loss, Drupal 8.4 has [disabled the automatic deletion of files with no known remaining usages](https://www.drupal.org/node/2801777). This will result of the accumulation of unused files on sites, but ensures that files erroneously reporting 0 usages are not deleted while in use. Additionally, an issue with [validation errors when saving content referencing these files](https://www.drupal.org/node/2896480) has also been resolved. [The change record explains how sites can opt back into marking files temporary](https://www.drupal.org/node/2891902). If you choose to enable the setting, you can also set "Delete orphaned files" to "Never" on `/admin/config/media/file-system` to avoid permanent deletion of the affected files. While the files will no longer be deleted by default, file usage is still not tracked correctly in several scenarios, regardless of the setting. Discussion on [how to evolve the file usage tracking system](https://www.drupal.org/node/2821423) is underway. #### Configuration export sorting * [#2361539: Config export key order is not predictable for sequences, add orderby property to config schema](https://www.drupal.org/node/2361539) resolves an issue where sequences in configuration were not sorted unless the code responsible for saving configuration explicitly performed a sort. This resulted in unpredictable changes in configuration ordering and confusing diffs even when nothing had changed. To resolve this issue, we've [added an `orderby` key to the config schema](https://www.drupal.org/node/2852566) that allows it to be sorted either by key or by value. Adding a preferred sort is strongly recommended. * Two related issues remain open: * [#2860531: Add orderby key to third-party settings](https://www.drupal.org/node/2860531) relates to unsorted sequences which result in unexpected discrepancies in configuration during a configuration import. * [#2885368: Config export key order for sequences: "orderedby" does not support cases where the order actually matters](https://www.drupal.org/node/2885368) relates to various sequences in core and contributed modules in which the source order is important. #### Revision data integrity fixes * Previously, data from draft revisions for [path aliases](https://www.drupal.org/node/2856363), [menus](https://www.drupal.org/node/2858434), and [books](https://www.drupal.org/node/2858431) could leak into the live site. Drupal 8.4.0 hotfixes all three issues by preventing changes to this data from being saved on any revision that is not the default revision. These fixes improve revision support for both stable features and the experimental Content Moderation module. * Correspondingly, [Content Moderation now avoids such scenarios with non-default revisions](https://www.drupal.org/node/2883868) by setting the 'default revision' flag earlier. * Previously, [saving a revision of an entity translation could cause draft revisions to go "missing"](https://www.drupal.org/node/2766957). Drupal 8.4.0 prevents this by preventing the moderation state from being set to anything that would make the revision go "missing". Going forward, the entity system will also [provide the 'revision_translation_affected' base field by default for all revisionable and translatable entity types](https://www.drupal.org/node/2896845) for tracking such revisions. * [A similar but unrelated bug in Content Moderation](https://www.drupal.org/node/2862988) has also been fixed in this release. #### Other critical improvements * When nodes were deleted, Menu UI module deleted their menu items. However, menu items may exist even whenm Menu UI module is not enabled and can also be attached to entities other than nodes. Therefore, menu item cleanup on entity deletetion [is now performed by the Custom Menu Links module](https://www.drupal.org/node/2350797) instead, covering the previously missing cases. A related issue that [broke module uninstallation for some modules providing menu items for certain entity forms](https://www.drupal.org/node/2907654) has also been resolved. * A race condition occured in the Batch API when using fastcgi. The Batch API now ensures that [the current batch state is written completely to the database before starting the next batch](https://www.drupal.org/node/2851111). * When uninstalling modules, empty fields were left behind to be purged. However, without the field definitions from the module, it was not possible to purge them any more. [Empty field deletion is now performed immediately](https://www.drupal.org/node/2884202) instead to avoid this scenario. * When clearing caches in a translated interface, the field labels would [return to the default language](https://www.drupal.org/node/2650434). ### New stable modules The following modules, previously considered experimental, are now stable and safe for use on production sites, with full backwards compatibility and upgrade paths from 8.4.0 to future releases: #### Datetime Range The [Datetime Range module](https://www.drupal.org/node/2893128) provides a field type that allows end dates to support contributed modules like [Calendar](https://www.drupal.org/project/calendar). This stable release is backwards-compatible with the 8.3.x experimental version and shares a consistent API with other Datetime fields. Future releases may improve Views support, usability, Datetime Range field validation, and REST support. For bugs or feature requests for this module, [see the core Datetime issue queue](https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&status%5B%5D=Open&version%5B%5D=8.x&component%5B%5D=datetime.module&issue_tags_op=%3D). #### Layout Discovery The [Layout Discovery module](https://www.drupal.org/node/2834025) provides an API for modules or themes to register layouts as well as five common layouts. Providing this API in core enables core and contributed layout solutions to be compatible with each other. This stable release is backwards-compatible with the 8.3.x experimental version and introduces [support for per-region attributes](https://www.drupal.org/node/2885877). #### Media The new core [Media module](https://www.drupal.org/node/2831274) provides an API for reusable media entities and references. It is based on the contributed [Media Entity module](https://www.drupal.org/project/media_entity). Since there is a rich ecosystem of Drupal contributed modules built on Media Entity, the top priority for this release is to [provide a stable core API and data model](https://www.drupal.org/node/2895059) for a smoother transition for these modules. Developers and expert site builders can now add Media as a dependency. Work is underway to [provide an update path for existing sites' Media Entity data](https://www.drupal.org/node/2880334) and to [port existing contributed modules to the improved core API](https://www.drupal.org/node/2860796). Both versions cannot be used at the same time, so we also [prevent the 1.x version of the contributed Media Entity module from being enabled at the same time as the core Media module](https://www.drupal.org/node/2896427). Note that **the core Media module is currently marked hidden** and will not appear on the 'Extend' (module administration) page. (Enabling a contributed module that depends on the core Media module will also enable Media automatically.) The module will be displayed to site builders normally once user experience issues with it are resolved. Similarly, the REST API and normalizations for Media is not final and support for decoupled applications will also be improved in a future release. #### Inline Form Errors The [Inline Form Errors module](https://www.drupal.org/node/2897652) provides a summary of any validation errors at the top of a form and places the individual error messages next to the form elements themselves. This helps users understand which entries need to be fixed, and how. Inline Form Errors was provided as an experimental module from Drupal 8.0.0 on, but it is now stable and polished enough for production use. See the core [Inline Form Errors module issue queue](https://www.drupal.org/project/issues/drupal?text=&status=Open&priorities=All&categories=All&version=All&component=inline_form_errors.module) for outstanding issues. #### Workflows The Workflows module provides an abstract system of states (like Draft, Archived, and Published) and transitions between them. Workflows can be used by modules that implement non-publishing workflows (such as for users or products) as well as content publishing workflows. Drupal 8.4 introduces a final significant backwards compatibility and data model break for this module, [moving responsibility for workflow states and transitions from the Workflow entity to the Workflow type plugin](https://www.drupal.org/node/2849827). Read [Workflow type plugins are now responsible for state and transition schema](https://www.drupal.org/node/2897706) for full details on the API and data model changes related to this fix. Now that this change is complete, [the Workflows module became stable](https://www.drupal.org/node/2897130)! While the module can be installed as-is, it is not useful in itself without either Content Moderation and/or some other module that requires it. ### Content authoring and site administration improvements * The "Save and keep (un)published" dropbutton has been replaced with [a "Published" checkbox and single "Save" button](https://www.drupal.org/node/2068063). The "Save and..." dropbutton was a new design in Drupal 8, but users found it confusing, so we have restored a design that is more similar to the user interface for Drupal 7 and earlier. * Previously, deleting a field on a content type would also delete any views depending on the field. While the confirmation form did indicate that the view would be deleted, users did not expect the behavior and often missed the message, leading to data loss. [Now, the view is disabled instead](https://www.drupal.org/node/2468045). In the future, we intend to [notify users that configuration has been disabled](https://www.drupal.org/node/2832558) (as in this fix) as well as [give users clearer warnings for other highly destructive operations](https://www.drupal.org/node/2773205). * The [Drupal toolbar no longer flickers](https://www.drupal.org/node/2542050) during page rendering, thus improving perceived front-end performance. * Options in [timezones selector are now grouped by regions](https://www.drupal.org/node/2847651) and labeled by cities instead of timezone names, making it much easier for users to find and select the specific timezone they need. * Both the ["Comments" administration page at `/admin/content/comment`](https://www.drupal.org/node/1986606) and the ["Recent log messages" report provided by dblog](https://www.drupal.org/node/2015149) are now configurable views. The "Comments" administration page also [has some default filters added](https://www.drupal.org/node/2898344). * Useful meta information about a node's status is typically displayed at the top of the node sidebar. Previously, this meta information was provided by the Seven theme, so it was not available in other administrative themes. [This meta information is now provided by node.module itself](https://www.drupal.org/node/2803875) so other administration themes can access it. * [Views now supports rendering computed fields](https://www.drupal.org/node/2852067). ### REST and API-first improvements * Authenticated REST API performance increased by 15% by [utilizing the Dynamic Page Cache](https://www.drupal.org/node/2827797). * POSTing entities [can now happen at `/node`, `/taxonomy/term` and so on](https://www.drupal.org/node/2293697), instead of `/entity/node`, `/entity/taxonomy_term`. Instead of confusingly different URLs, they therefore now use the URLs you'd expect. Backwards compatibility is maintained. * There is now a dedicated resource for [resetting a user's password](https://www.drupal.org/node/2847708). * Time fields now are [normalized to RFC3339 timestamps by default](https://www.drupal.org/node/2768651), fixing time ambiguity. Existing sites continue to receive UNIX timestamps, but can opt in. [See the change record for more information about backwards compatibility and on how to opt in](https://www.drupal.org/node/2859657). * [Path alias fields are now normalized as well](https://www.drupal.org/node/2846554). [See the change record for information about how this impacts API-first modules and other features relying on serialized entities](https://www.drupal.org/node/2856220). * When denormalization fails, a [422 response is now returned](https://www.drupal.org/node/2827084) instead of a 400, per the HTTP specification. * With CORS enabled to allow origins besides the site's own host, [submitting forms was broken](https://www.drupal.org/node/2853201) unless the site's own host was also explicitly allowed. This is now resolved. * Fatal errors and exceptions [now show a backtrace](https://www.drupal.org/node/2853300) for all non-HTML requests as well as HTML requests, which makes for easier debugging and better bug reports. * Massive expansion of test coverage. ### Performance and scalability improvements * Drupal 8 caches at various different levels for more effective caching. However, this resulted in exessively growing cache tables with tens or hundreds of thousands of entries, and gigabytes in size. [A new limit of 5000 rows per cache bin was introduced to limit this growth](https://www.drupal.org/node/2526150). * The internal page cache now [has a dedicated cache bin](https://www.drupal.org/node/2889603) distinct from the rest of the render cache for improved scalability. * The service collector pattern instantiates all services it collects, which is expensive, and unnecessary for some use cases. For those use cases, a [new service ID collector](https://www.drupal.org/node/2472337) pattern has been added and the theme negotiator updated to use it. [See the change record for information about how to use the service ID collector](https://www.drupal.org/node/2598944) for improved performance. * The maximum time in-progress forms are cached [is now customizable](https://www.drupal.org/node/1286154) rather than being limited to a default cache lifetime of 6 hours. Sites can decrease the lifetime to reduce cache footprint, or increase it if needed for a particular site's usecase. [See the change record to learn how to access this new setting](https://www.drupal.org/node/2886836). * If there are no status messages, the corresponding rendering [is now skipped](https://www.drupal.org/node/2853509). On simple sites that use the Dynamic Page Cache (the default), this can result in a 10% improvement when there are no messages! * [Optimized the early Drupal installer](https://www.drupal.org/node/2872611) to check whether any themes are installed first before invoking an unnecessary function, which improves Drupal install time measurably for both sites and automated tests. ### Developer experience improvements * [Adopted Airbnb JavaScript style guide 14.1](https://www.drupal.org/node/2815077) as the new baseline set of coding standards for Drupal core and contributed modules. [See the change record for information about how to configure your project for eslint](https://www.drupal.org/node/2873849). * Field type definitions can now [enforce the cardinality of the field](https://www.drupal.org/node/2403703). [See the change record for information about how to specify a cardinality via the annotation](https://www.drupal.org/node/2869873). * [Added new methods](https://www.drupal.org/node/2869809) to make getting typed configuration entity representations easier. [See the change record for more information about how to invoke these methods](https://www.drupal.org/node/2877282). * The `html_tag` render element now [supports nested render arrays](https://www.drupal.org/node/2694535), enabling the creation of dynamic SVGs. [See the change record for information about how you can use this in your theme](https://www.drupal.org/node/2887146). * [Added more helpful errors](https://www.drupal.org/node/2705037) when CSS is not properly nested under an existing category in asset libraries. * Also see the [change records for the 8.4.x branch](https://www.drupal.org/list-changes/drupal/published?keywords_description=&to_branch=8.4.x&version=&created_op=%3E%3D&created%5Bvalue%5D=&created%5Bmin%5D=&created%5Bmax%5D=) for other changes for developers. ### Automated testing improvements * [PHPUnit has been updated from 4.8.28 to 4.8.35](https://www.drupal.org/node/2850797) in order to incorporate a forward-compatibility layer for PHPUnit 4.8, which will be useful during a future migration to PHPUnit 5 or PHPUnit 6. * Many former WebTestBase tests were converted to BrowserTestBase. [Track current progress](http://simpletest-countdown.org/). * The default approach for testing deprecated code has changed to [require use of the Drupal core deprecation policy](https://www.drupal.org/node/2488860) (`@trigger_error()`) to mark code deprecated; otherwise a test error will be thrown. [See the change record for information about how to update `phpunit.xml` and how to test deprecated code](https://www.drupal.org/node/2811561). * BrowserTestBase is [no longer dependent on traits from Simpletest](https://www.drupal.org/node/2803621). Backwards compatibility is preserved. * [Resolved random test failures](https://www.drupal.org/node/2866056) due to ResourceTestBase's HTTP client timeout of 30 seconds. ### Third-party library updates * [Drupal's Symfony dependency has been updated from Symfony 2.8 to Symfony 3.2](https://www.drupal.org/node/2712647). This major version update is necessary because Symfony 2.8 support will end around the release of Drupal 8.6.0 next year. See the change record for information about [Symfony 3 backwards compatibility breaks that affected Drupal core](https://www.drupal.org/node/2743809). [Drupal 8 also requires Symfony 3.2.8](https://www.drupal.org/node/2871253) because of a bug in Symfony 3.2.7. * [#2533498: Update jQuery to version 3](https://www.drupal.org/node/2533498). Now that jQuery 3.0 has been released, jQuery 2.x will only be receiving security updates, so Drupal 8.4.0 ships with this library update. jQuery 3 features numerous improvements, including better error reporting. See the [jQuery Core 3.0 Upgrade Guide](https://jquery.com/upgrade-guide/3.0/) for information on jQuery 3 backwards compatibility breaks that might affect the JavaScript code in your modules, themes, and sites. * The zurb/joyride library (used by the Tour module) has been [updated to a development version higher than 2.1.0.1](https://www.drupal.org/node/2898808) to resolve an upstream incompatibility with jQuery 3. We will update to Joyride 2.1.1 once it is available with the needed fix. * [zendframework/zend-diactoros has been updated from 1.3.10 to 1.4.1](https://www.drupal.org/node/2874817). * [jQuery UI has been updated from 1.11.4 to 1.12.1](https://www.drupal.org/node/2809427). * [jQuery Once has been updated from 2.1.1 to 2.2.0](https://www.drupal.org/node/2899156). * [CKEditor has been updated from 4.6.2 to 4.7.2](https://www.drupal.org/node/2904142). * [asm89/stack-cors has been updated from 1.0 to 1.1](https://www.drupal.org/node/2853201). * [The minimum phpsec/prophecy requirement is now 1.4](https://www.drupal.org/node/2900800). * [composer/installers has been updated from 1.2.0 to 1.4.0](https://www.drupal.org/node/2900112). * [wikimedia/composer-merge-plugin has been updated from 1.4.0 to 1.4.1](https://www.drupal.org/node/2900112). * [guzzlehttp/guzzle has been updated from 6.2.3 to 6.3.0](https://www.drupal.org/node/2900112). * [mikey179/vfsstream has been updated from 1.6.4 to 1.6.5](https://www.drupal.org/node/2900112). * [phpunit/phpunit has been updated from 4.8.35 to 4.8.36](https://www.drupal.org/node/2900112). * [masterminds/html5 has been updated from 2.2.2 to 2.3.0](https://www.drupal.org/node/2909743). * [symfony-cmf/routing has been udpated from 1.4.0 to 1.4.1](https://www.drupal.org/node/2909743). ### Experimental modules #### Migrate ([beta stability](https://www.drupal.org/core/experimental#beta)) Migrate provides a general API for migrations. It will be considered completely stable once all issues tagged [Migrate critical](https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&status%5B%5D=Open&version%5B%5D=8.x&issue_tags_op=%3D&issue_tags=Migrate+critical) are resolved. * This release includes numerous developer experience improvements for Migrate and Migrate Drupal, including [deprecating outdated references to "CCK"](https://www.drupal.org/node/2751897), [simplifying field type mapping](https://www.drupal.org/node/2896507), renaming several plugins to better capture their and many other API and documentation improvements. (Backwards compatibility is provided in each case Migrate is in beta.) * Added the ability to [provide the source module](https://www.drupal.org/node/2569805) to migrations to help site owners review what data is being migrating, especially for cases where the source and destination module are not the same (for example if a new Drupal 8 module replaces old functionality. #### Migrate Drupal and Migrate Drupal UI ([alpha stability](https://www.drupal.org/core/experimental#alpha)) Migrate Drupal module provides API support for Drupal-to-Drupal migrations, and Migrate Drupal UI offers a simple user interface to run migrations from older Drupal versions. * This release adds [date](https://www.drupal.org/node/2566779) and [node reference](https://www.drupal.org/node/2814949) support for Drupal 6 to 8 migrations. * Core provides migrations for most Drupal 6 data and can be used for migrating Drupal 6 sites to Drupal 8, and the Drupal 6 to 8 migration path is nearing beta stability. Some gaps remain, such as for some internationalization data. ([Outstanding issues for the Drupal 6 to Drupal 8 migration](https://www.drupal.org/project/issues/search/drupal?project_issue_followers=&status%5B%5D=1&status%5B%5D=13&status%5B%5D=8&status%5B%5D=14&status%5B%5D=15&status%5B%5D=4&issue_tags_op=%3D&issue_tags=migrate-d6-d8).) * The Drupal 7 to Drupal 8 migration is incomplete but is suitable for developers who would like to help improve the migration and can be used to test upgrades especially for simple Drupal 7 sites. Most high-priority migrations are available. ([Outstanding issues for the Drupal 7 to Drupal 8 migration](https://www.drupal.org/node/2456259).) * Drush support for Migrate is currently only available in the [Drupal Upgrade](https://www.drupal.org/project/migrate_upgrade) contributed module. (See the [pull request to add support to Drush](https://github.com/drush-ops/drush/issues/2140).) * Conflicting text field processing settings [are now identified and logged](https://www.drupal.org/node/2842222) to avoid security or data integrity issues with the migration of plain and formatted text fields. * Automatic redirects are now [added for translation node paths that are no longer valid](https://www.drupal.org/node/2850085) after migration has merged translations into a single node. * A data integrity bug that resulted in [duplicate comment types and incorrect comment_entity_statistics](https://www.drupal.org/node/2853872) for node and forum comment migrations has been resolved. * A bug that [stopped public files from being migrated from D6 to D8 if the user first selected Drupal 7 in the UI](https://www.drupal.org/node/2907233) has also been resolved. #### Content Moderation ([beta stability](https://www.drupal.org/core/experimental#beta)) Content Moderation allows workflows from the Workflows module to be applied to content. Content Moderation has beta stability in 8.4.0-alpha1. Notable improvements in this release: * Workflow states are now [selected from a select list, rather than under a drop-button](https://www.drupal.org/node/2753717), which represents a significant usability improvement. * Now that workflows can be applied to any revisionable entity type, Content Moderation [adds entity type checkboxes to the workflow form](https://www.drupal.org/node/2843083). This allows site administrators to configure which entity types should have the workflow at the same time as they configure the workflow itself, for a more intuitive user experience. * Content Moderation now [prevents the deletion of workflows that are currently in use](https://www.drupal.org/node/2830740) to prevent fatal errors and data integrity problems. * The confusing terminology of ["forward revisions" has been replaced with that of "pending revisions"](https://www.drupal.org/node/2890364). If your contributed module refers to revisions that are not yet published, it should use this new term. * [The 'Latest revision' views filter has been rewritten to avoid relying on a custom {revision_tracker}](https://www.drupal.org/node/2865579), and that table has been removed from the database schema. As per the experimental module process, there were some backwards-incompatible changes since Drupal 8.3.x. Experimental modules do not offer a supported upgrade path, but [an unofficial upgrade path is available](https://www.drupal.org/node/2896630). #### Field Layout ([alpha stability](https://www.drupal.org/core/experimental#alpha)) This module provides the ability for site builders to rearrange fields on content types, block types, etc. into new regions, for both the form and display, on the same forms provided by the normal field user interface. Field Layout has had several bugfixes since 8.3.0, but no significant changes. See the [entity display layout roadmap](https://www.drupal.org/node/2795833) for the next steps for this module, which needs to become stable by 8.5.0 to remain in Drupal core. #### Settings Tray ([beta stability](https://www.drupal.org/core/experimental#beta)) The Settings Tray module allows configuring page elements such as blocks and menus from the frontend of your site. Settings Tray has improved significantly since Drupal 8.3.0, including numerous user interaction and accessibility fixes, better compatibility with stable core modules like Quick Edit and Contextual Links, added documentation, and [a CSS reset](https://www.drupal.org/node/2826722) for better themer experience. The module reached beta stability following completion of [moving the off-canvas dialog renderer into a core component](https://www.drupal.org/node/2784443), and [renaming the machine name of the module to settings_tray](https://www.drupal.org/node/2803375), to match its user-facing name. We hope to make Settings Tray stable by 8.5.0. To track progress, see the ["outside in" roadmap issue](https://www.drupal.org/node/2762505). #### Place Blocks ([alpha stability](https://www.drupal.org/core/experimental#alpha)) This feature allows the user to place a block on any page and see the region where it will be displayed, without having to navigate to a backend administration form. [8.4.0-alpha1 was the deadline for Place Blocks to stabilize](https://www.drupal.org/core/experimental#versions), but the module's roadmap was not completed. Furthermore, the module is not intended as a standalone feature and should instead be a built-in part of the Block system. For these reasons, [Place Blocks module has been marked hidden in this release](https://www.drupal.org/node/2898267) (it can still be enabled with Drush). The Place Blocks module itself will be turned into an empty module in Drupal 8.5.x, since ideally the core Block system will offer the same functionality in 8.5.0 (though this depends on completion of a [core patch for the feature](https://www.drupal.org/node/2739075).) Drupal 8.3.0, 2017-04-05 ------------------------ - Added modules: * Added the Workflows module (experimental) which abstracts transitions and states from Content Moderation into a separate component for reuse by other modules implementing non-publishing workflows. * Added the Layout Discovery module (experimental) which provides an API for modules or themes to register layouts. * Added the Field Layout module (experimental) which provides the ability for site builders to rearrange fields on content types, block types, etc. into new regions, for both the form and display, on the same forms provided by the normal field user interface. - Updated vendor libraries: * Updated to Twig 1.25. * Updated to jQuery 2.2.4. * Updated to CKEditor 4.6.2 (with new Moono-Lisa skin). * Updated Symfony components to 2.8.18. * Updated PHPUnit to 4.8.35. * Applied patch-level updates to the latest versions for all dependencies wherever possible. Minor updates applied for Symfony PSR-7 Bridge and Zend Stdlib, which Drupal does not depend on directly. - Browser support: * Advance notice: Internet Explore 9 and 10 will no longer supported from 8.4.x, scheduled for October 2017. Microsoft has now ended support for these browsers. Drupal will still support Internet Explorer 11 and its replacement, Edge. - Raised stability levels of experimental modules: * Updated the BigPipe module from beta to stable. * Updated the Migrate module from alpha to beta. * See https://www.drupal.org/core/experimental#versions for more information about the stability levels of experimental modules. - Improved authoring features: * Can now drag and drop images into image fields in Quick Edit mode. * Image fields are now limited to only accepting images, so that users on mobile clients are not offered a confusing and non-functional video upload option. * CKEditor now utilizes the AutoGrow plugin to better take advantage of larger screen sizes. - Improved site building and administration: * Redesigned status report. * Standardized display of Views overview page to more closely match that of other administrative overview pages. * Views filter order now matches the table column order below in Content and People overview pages. * The "Allowed HTML tags" input has been converted to a textarea, which significantly improves the usability of HTML filter configuration. * Removed the 'disabled' region from block administration. * Incoming paths are again case-insensitive for routing, similar to earlier major Drupal versions. - Content Moderation improvements (experimental): * Refactored to use new experimental Workflows module. * Now supports moderation of non-translatable entity types. * When reverting a moderated revision, the moderation state is now reverted too. * Added an API to create and enforce default workflow states and transitions. * Allow moderation of entity types without bundles, as long as they have revisions. * Publishes any entity type that implements EntityPublishedInterface, not just Nodes. - Migration improvements (experimental): * Drupal 7 core node translations are now migrated to Drupal 8. * Configuration translation support is added to migrations in general and implemented for Drupal 6 user profile fields. - Improved REST API and decoupled site features: * REST API now supports the registering of users. * Anonymous REST API performance increased by 60% by utilizing the internal page cache. * Improved the response bodies and status codes for requests with incorrect request headers or request bodies, in dozens of situations. * Massive overhaul of the test coverage. * 403 responses now return reason why access was denied. * Serialized values for Booleans and integers are now returned as the correct data type, rather than incorrectly typed as strings. - Improved performance/scalability: * Optimized class loader detection made more generic to support class loaders other than ApcClassLoader. * ViewsData and Token info cache now use the default cache bin to prevent APCu memory from being filled too quickly. * Improve statistics performance by adding a swappable backend. - Improved developer APIs: * Deprecated several routing services in favor of two more unified services. * Replaced the deprecated Symfony ExecutionContextInterface by subclassing from ConstraintValidator to prepare for an update to Symfony 3. * EntityPublishedInterface and EntityPublishedTrait have been added to give a generic publishing API, and are being used by Node and Comment entity types. * Added a collection label to EntityType. This is a plural uppercase label for a collection of entities - e.g. "Workflows". - Changed coding standards: * Officially adopted short array syntax and updated all of core accordingly. * PHP CodeSniffer and Drupal Coder have been added as composer dev requirements, so they can be installed automatically with `composer install --dev` rather than requiring separate installation. (Do not use `composer install --dev` for production sites.) * Most global constants in Drupal 8 have been deprecated in favor of class constants. As a best practice, use appropriate class constants rather than global constants. - Testing improvements: * Integrated PHPUnit verbose output in SimpleTest UI. * Improved backward compatibility with WebTestBase. * Improved backward compatibility between BrowserTestBase and WebTestBase. * Many old WebTestBase tests have been moved to BrowserTestBase. * Expanded automated test coverage for JavaScript. - Package management: * composer.json now uses the new official endpoint for modules and themes, packages.drupal.org. * Custom modules and themes can now be installed to correct locations using composer. * Added Package.json enabling new JavaScript language features. Drupal 8.2.0, 2016-10-05 ------------------------ - Updated the git repository configuration to not normalize line endings for files of unknown type. - Added vendor libraries: * Added Stack/Cors 1.0.0. - Updated vendor libraries: * Updated to jQuery 2.2.3. * Updated to Twig 1.24. * Updated to CKEditor 4.5.11. * Updated to Symfony Routing 1.4.0. * Updated to Stack/Builder 1.0.4. * Updated to Guzzle 6.2.1. - Added modules: * Added the Place Block module (experimental) to place a block on any page without having to navigate to the backend administration form. * Added the Settings Tray module (experimental) to edit the configuration of any block on the page. Its machine name in this release is "outside_in". * Added the Content Moderation module (experimental) to define and use workflow states such as Draft, Archived and Published. This functionality was previously provided by the contributed module Workbench Moderation. * Added the Datetime Range module (experimental) that provides a new field type with support for start and end dates. - Raised stability levels of experimental modules: * Updated the BigPipe module from alpha to beta. * See https://www.drupal.org/core/experimental#versions for more information about the stability levels of experimental modules. - Improved authoring features: * Relative URLs are automatically converted to absolute ones when content is output to an RSS feed. * Enabled revisions by default on new node types. * Added a redirect option to site-wide contact forms. * Whenever a new entity is created, a link to it is now provided in a status message, for easy access to it regardless of the form workflow. * Styled CKEditor dialogs to match Drupal dialogs. - Improved site administration experience: * Numerous improvements to user interface text. - Improved site building features: * Added the ability to remove a module's content entities prior to uninstallation. * Made it possible to select the comment view mode in the formatter form. * Fixed the Migrate module to skip over migration sources that require code from uninstalled modules. - Improved REST API and decoupled site features: * Added support for reading (GET) configuration entities as REST resources. * Added dedicated resources for user login, logout and registration. * Added support for selecting an authentication provider as part of the configuration of a REST Export Views Display. * Added a cors.config service parameter for enabling and configuring cross-origin resource sharing (CORS). * Simplified REST configuration with per-resource configuration entities and less verbose configuration structure. (The previous, advanced configuration structure is also still supported.) * Improved the response messages and status codes for requests with missing or incorrect headers. * Improved responses to PATCH requests to entity resources to contain the updated entity in the response body. - Improved developer APIs: * Added support for specifying the field item delta as part of an entity query condition. This was possible in Drupal 7 via EntityFieldQuery::fieldDeltaCondition(), but missing from earlier versions of Drupal 8. - Improved performance/scalability: * In the internal page cache, 404 responses are now cached for a shorter time (1 hour by default), to consume less space. * Breadcrumbs are now cached by the parent of the path rather than the full path, for fewer cache entries and higher cache hit rates. - Changed coding standards: * Local variables and parameters can now use camelCase. * A blank line is now required after the = 5.0.15 or PostgreSQL >= 8.3. * Added query builders for INSERT, UPDATE, DELETE, MERGE, and SELECT queries. * Support for primary/replica replication, transactions, multi-insert queries, and other features. * Added support for the SQLite database engine. * Default to InnoDB engine, rather than MyISAM, on MySQL when available. This offers increased scalability and data integrity. - Security: * Protected cron.php -- cron will only run if the proper key is provided. * Implemented a pluggable password system and much stronger password hashes that are compatible with the Portable PHP password hashing framework. * Rate limited login attempts to prevent brute-force password guessing, and improved the flood control API to allow variable time windows and identifiers for limiting user access to resources. * Transformed the "Update status" module into the "Update manager" which can securely install or update modules and themes via a web interface. - Usability: * Added contextual links (a.k.a. local tasks) to page elements, such as blocks, nodes, or comments, which allows to perform the most common tasks with a single click only. * Improved installer requirements check. * Improved support for integration of WYSIWYG editors. * Implemented drag-and-drop positioning for input format listings. * Implemented drag-and-drop positioning for language listing. * Implemented drag-and-drop positioning for poll options. * Provided descriptions and human-readable names for user permissions. * Removed comment controls for users. * Removed display order settings for comment module. Comment display order can now be customized using the Views module. * Removed the 'related terms' feature from taxonomy module since this can now be achieved with Field API. * Added additional features to the default installation profile, and implemented a "slimmed down" profile designed for developers. * Added a built-in, automated cron run feature, which is triggered by site visitors. * Added an administrator role which is assigned all permissions for installed modules automatically. * Image toolkits are now provided by modules (rather than requiring a manual file copy to the includes directory). * Added an edit tab to taxonomy term pages. * Redesigned password strength validator. * Redesigned the add content type screen. * Highlight duplicate URL aliases. * Renamed "input formats" to "text formats". * Moved text format permissions to the main permissions page. * Added configurable ability for users to cancel their own accounts. * Added "vertical tabs", a reusable interface component that features automatic summaries and increases usability. * Replaced fieldsets on node edit and add pages with vertical tabs. - Performance: * Improved performance on uncached page views by loading multiple core objects in a single database query. * Improved performance for logged-in users by reducing queries for path alias lookups. * Improved support for HTTP proxies (including reverse proxies), allowing anonymous page views to be served entirely from the proxy. - Documentation: * Hook API documentation now included in Drupal core. - News aggregator: * Added OPML import functionality for RSS feeds. * Optionally, RSS feeds may be configured to not automatically generate feed blocks. - Search: * Added support for language-aware searches. - Aggregator: * Introduced architecture that allows pluggable parsers and processors for syndicating RSS and Atom feeds. * Added options to suspend updating specific feeds and never discard feeds items. - Testing: * Added test framework and tests. - Improved time zone support: * Drupal now uses PHP's time zone database when rendering dates in local time. Site-wide and user-configured time zone offsets have been converted to time zone names; for example, Africa/Abidjan. * In some cases the upgrade and install scripts do not choose the preferred site default time zone. The automatically-selected time zone can be corrected at admin/config/regional/settings. * If your site is being upgraded from Drupal 6 and you do not have the contributed date or event modules installed, user time zone settings will fallback to the system time zone and will have to be reconfigured by each user. * User-configured time zones now serve as the default time zone for PHP date/time functions. - Filter system: * Revamped the filter API and text format storage. * Added support for default text formats to be assigned on a per-role basis. * Refactored the HTML corrector to take advantage of PHP 5 features. - User system: * Added clean API functions for creating, loading, updating, and deleting user roles and permissions. * Refactored the "access rules" component of user module: The user module now provides a simple interface for blocking single IP addresses. The previous functionality in the user module for restricting certain email addresses and usernames is now available as a contributed module. Further, IP address range blocking is no longer supported and should be implemented at the operating system level. * Removed per-user themes: Contributed modules with similar functionality are available. - OpenID: * Added support for Gmail and Google Apps for Domain identifiers. Users can now log in with their user@example.com identifier when example.com is powered by Google. * Made the OpenID module more pluggable. - Added code registry: * Using the registry, modules declare their includable files via their .info file, allowing Drupal to lazy-load classes and interfaces as needed. - Theme system: * Removed the Bluemarine, Chameleon and Pushbutton themes. These themes live on as contributed themes (https://www.drupal.org/project/bluemarine, https://www.drupal.org/project/chameleon and https://www.drupal.org/project/pushbutton). * Added Stark theme to make analyzing Drupal's default HTML and CSS easier. * Added Seven as the default administration theme. * Variable preprocessing of theme hooks prior to template rendering now goes through two phases: a 'preprocess' phase and a new 'process' phase. See http://api.drupal.org/api/function/theme/7 for details. * Theme hooks implemented as functions (rather than as templates) can now also have preprocess (and process) functions. See http://api.drupal.org/api/function/theme/7 for details. * Added Bartik as the default theme. - File handling: * Files are now first class Drupal objects with file_load(), file_save(), and file_validate() functions and corresponding hooks. * The file_move(), file_copy() and file_delete() functions now operate on file objects and invoke file hooks so that modules are notified and can respond to changes. * For the occasions when only basic file manipulation are needed--such as uploading a site logo--that don't require the overhead of databases and hooks, the current unmanaged copy, move and delete operations have been preserved but renamed to file_unmanaged_*(). * Rewrote file handling to use PHP stream wrappers to enable support for both public and private files and to support pluggable storage mechanisms and access to remote resources (for example, S3 storage or Flickr photos). * The mime_extension_mapping variable has been removed. Modules that need to alter the default MIME type extension mappings should implement hook_file_mimetype_mapping_alter(). * Added the hook_file_url_alter() hook, which makes it possible to serve files from a CDN. * Added a field specifically for uploading files, previously provided by the contributed module FileField. - Image handling: * Improved image handling, including better support for add-on image libraries. * Added API and interface for creating advanced image thumbnails. * Inclusion of additional effects such as rotate and desaturate. * Added a field specifically for uploading images, previously provided by the contributed module ImageField. - Added aliased multi-site support: * Added support for mapping domain names to sites directories. - Added RDF support: * Modules can declare RDF namespaces which are serialized in the tag for RDFa support. * Modules can specify how their data structure maps to RDF. * Added support for RDFa export of nodes, comments, terms, users, etc. and their fields. - Search engine optimization and web linking: * Added a rel="canonical" link on node and comment pages to prevent duplicate content indexing by search engines. * Added a default rel="shortlink" link on node and comment pages that advertises a short link as an alternative URL to third-party services. * Meta information is now alterable by all modules before rendering. - Field API: * Custom data fields may be attached to nodes, users, comments and taxonomy terms. * Node bodies and teasers are now Field API fields instead of being a hard-coded property of node objects. * In addition, any other object type may register with Field API and allow custom data fields to be attached to itself. * Provides most of the features of the former Content Construction Kit (CCK) module. * Taxonomy terms are now Field API fields that can be added to any fieldable object. - Installer: * Refactored the installer into an API that allows Drupal to be installed via a command line script. - Page organization * Made the help text area a full featured region with blocks. * Site mission is replaced with the highlighted content block region and separate RSS feed description settings. * The footer message setting was removed in favor of custom blocks. * Made the main page content a block which can be moved and ordered with other blocks in the same region. * Blocks can now return structured arrays for later rendering just like page callbacks. - Translation system * The translation system now supports message context (msgctxt). * Added support for translatable fields to Field API. - JavaScript changes * Upgraded the core JavaScript library to jQuery version 1.4.4. * Upgraded the jQuery Forms library to 2.52. * Added jQuery UI 1.8.7, which allows improvements to Drupal's user experience. - Better module version support * Modules now can specify which version of another module they depend on. - Removed modules from core * The following modules have been removed from core, because contributed modules with similar functionality are available: * Blog API module * Ping module * Throttle module - Improved node access control system. * All modules may now influence the access to a node at runtime, not just the module that defined a node. * Users may now be allowed to bypass node access restrictions without giving them complete access to the site. * Access control affects both published and unpublished nodes. * Numerous other improvements to the node access system. - Actions system * Simplified definitions of actions and triggers. * Removed dependency on the combination of hooks and operations. Triggers now directly map to module hooks. - Task handling * Added a queue API to process many or long-running tasks. * Added queue API support to cron API. * Added a locking framework to coordinate long-running operations across requests. Drupal 6.0, 2008-02-13 ---------------------- - New, faster and better menu system. - New watchdog as a hook functionality. * New hook_watchdog that can be implemented by any module to route log messages to various destinations. * Expands the severity levels from 3 (Error, Warning, Notice) to the 8 levels defined in RFC 3164. * The watchdog module is now called dblog, and is optional, but enabled by default in the default installation profile. * Extended the database log module so log messages can be filtered. * Added syslog module: useful for monitoring large Drupal installations. - Added optional email notifications when users are approved, blocked, or deleted. - Drupal works with error reporting set to E_ALL. - Added scripts/drupal.sh to execute Drupal code from the command line. Useful to use Drupal as a framework to build command-line tools. - Made signature support optional and made it possible to theme signatures. - Made it possible to filter the URL aliases on the URL alias administration screen. - Language system improvements: * Support for right to left languages. * Language detection based on parts of the URL. * Browser based language detection. * Made it possible to specify a node's language. * Support for translating posts on the site to different languages. * Language dependent path aliases. * Automatically import translations when adding a new language. * JavaScript interface translation. * Automatically import a module's translation upon enabling that module. - Moved "PHP input filter" to a standalone module so it can be deleted for security reasons. - Usability: * Improved handling of teasers in posts. * Added sticky table headers. * Check for clean URL support automatically with JavaScript. * Removed default/settings.php. Instead the installer will create it from default.settings.php. * Made it possible to configure your own date formats. * Remember anonymous comment posters. * Only allow modules and themes to be enabled that have explicitly been ported to the correct core API version. * Can now specify the minimum PHP version required for a module within the .info file. * Drupal core no longer requires CREATE TEMPORARY TABLES or LOCK TABLES database rights. * Dynamically check password strength and confirmation. * Refactored poll administration. * Implemented drag-and-drop positioning for blocks, menu items, taxonomy vocabularies and terms, forums, profile fields, and input format filters. - Theme system: * Added .info files to themes and made it easier to specify regions and features. * Added theme registry: modules can directly provide .tpl.php files for their themes without having to create theme_ functions. * Used the Garland theme for the installation and maintenance pages. * Added theme preprocess functions for themes that are templates. * Added support for themeable functions in JavaScript. - Refactored update.php to a generic batch API to be able to run time-consuming operations in multiple subsequent HTTP requests. - Installer: * Themed the installer with the Garland theme. * Added form to provide initial site information during installation. * Added ability to provide extra installation steps programmatically. * Made it possible to import interface translations during installation. - Added the HTML corrector filter: * Fixes faulty and chopped off HTML in postings. * Tags are now automatically closed at the end of the teaser. - Performance: * Made it easier to conditionally load .include files and split up many core modules. * Added a JavaScript aggregator. * Added block-level caching, improving performance for both authenticated and anonymous users. * Made Drupal work correctly when running behind a reverse proxy like Squid or Pound. - File handling improvements: * Entries in the files table are now keyed to a user instead of a node. * Added reusable validation functions to check for uploaded file sizes, extensions, and image resolution. * Added ability to create and remove temporary files during a cron job. - Forum improvements: * Any node type may now be posted in a forum. - Taxonomy improvements: * Descriptions for terms are now shown on taxonomy/term pages as well as RSS feeds. * Added versioning support to categories by associating them with node revisions. - Added support for OpenID. - Added support for triggering configurable actions. - Added the Update status module to automatically check for available updates and warn sites if they are missing security updates or newer versions. Sites deploying from CVS should use https://www.drupal.org/project/cvs_deploy. Advanced settings provided by https://www.drupal.org/project/update_advanced. - Upgraded the core JavaScript library to jQuery version 1.2.3. - Added a new Schema API, which provides built-in support for core and contributed modules to work with databases other than MySQL. - Removed drupal.module. The functionality lives on as the Site network contributed module (https://www.drupal.org/project/site_network). - Removed old system updates. Updates from Drupal versions prior to 5.x will require upgrading to 5.x before upgrading to 6.x. Drupal 5.7, 2008-01-28 ---------------------- - fixed the input format configuration page. - fixed a variety of small bugs. Drupal 5.6, 2008-01-10 ---------------------- - fixed a variety of small bugs. - fixed a security issue (Cross site request forgery), see SA-2008-005 - fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 - fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 Drupal 5.5, 2007-12-06 ---------------------- - fixed missing missing brackets in a query in the user module. - fixed taxonomy feed bug introduced by SA-2007-031 Drupal 5.4, 2007-12-05 ---------------------- - fixed a variety of small bugs. - fixed a security issue (SQL injection), see SA-2007-031 Drupal 5.3, 2007-10-17 ---------------------- - fixed a variety of small bugs. - fixed a security issue (HTTP response splitting), see SA-2007-024 - fixed a security issue (Arbitrary code execution via installer), see SA-2007-025 - fixed a security issue (Cross site scripting via uploads), see SA-2007-026 - fixed a security issue (User deletion cross site request forgery), see SA-2007-029 - fixed a security issue (API handling of unpublished comment), see SA-2007-030 Drupal 5.2, 2007-07-26 ---------------------- - changed hook_link() $teaser argument to match documentation. - fixed a variety of small bugs. - fixed a security issue (cross-site request forgery), see SA-2007-017 - fixed a security issue (cross-site scripting), see SA-2007-018 Drupal 5.1, 2007-01-29 ---------------------- - fixed security issue (code execution), see SA-2007-005 - fixed a variety of small bugs. Drupal 5.0, 2007-01-15 ---------------------- - Completely retooled the administration page * /Admin now contains an administration page which may be themed * Reorganised administration menu items by task and by module * Added a status report page with detailed PHP/MySQL/Drupal information - Added web-based installer which can: * Check installation and run-time requirements * Automatically generate the database configuration file * Install pre-made installation profiles or distributions * Import the database structure with automatic table prefixing * Be localized - Added new default Garland theme - Added color module to change some themes' color schemes - Included the jQuery JavaScript library 1.0.4 and converted all core JavaScript to use it - Introduced the ability to alter mail sent from system - Module system: * Added .info files for module meta-data * Added support for module dependencies * Improved module installation screen * Moved core modules to their own directories * Added support for module uninstalling - Added support for different cache backends - Added support for a generic "sites/all" directory. - Usability: * Added support for auto-complete forms (AJAX) to user profiles. * Made it possible to instantly assign roles to newly created user accounts. * Improved configurability of the contact forms. * Reorganized the settings pages. * Made it easy to investigate popular search terms. * Added a 'select all' checkbox and a range select feature to administration tables. * Simplified the 'break' tag to split teasers from body. * Use proper capitalization for titles, menu items and operations. - Integrated urlfilter.module into filter.module - Block system: * Extended the block visibility settings with a role specific setting. * Made it possible to customize all block titles. - Poll module: * Optionally allow people to inspect all votes. * Optionally allow people to cancel their vote. - Distributed authentication: * Added default server option. - Added default robots.txt to control crawlers. - Database API: * Added db_table_exists(). - Blogapi module: * 'Blogapi new' and 'blogapi edit' nodeapi operations. - User module: * Added hook_profile_alter(). * Email verification is made optional. * Added mass editing and filtering on admin/user/user. - PHP Template engine: * Add the ability to look for a series of suggested templates. * Look for page templates based upon the path. * Look for block templates based upon the region, module, and delta. - Content system: * Made it easier for node access modules to work well with each other. * Added configurable content types. * Changed node rendering to work with structured arrays. - Performance: * Improved session handling: reduces database overhead. * Improved access checking: reduces database overhead. * Made it possible to do memcached based session management. * Omit sidebars when serving a '404 - Page not found': saves CPU cycles and bandwidth. * Added an 'aggressive' caching policy. * Added a CSS aggregator and compressor (up to 40% faster page loads). - Removed the archive module. - Upgrade system: * Created space for update branches. - Form API: * Made it possible to programmatically submit forms. * Improved api for multistep forms. - Theme system: * Split up and removed drupal.css. * Added nested lists generation. * Added a self-clearing block class. Drupal 4.7.11, 2008-01-10 ------------------------- - fixed a security issue (Cross site request forgery), see SA-2008-005 - fixed a security issue (Cross site scripting, UTF8), see SA-2008-006 - fixed a security issue (Cross site scripting, register_globals), see SA-2008-007 Drupal 4.7.10, 2007-12-06 ------------------------- - fixed taxonomy feed bug introduced by SA-2007-031 Drupal 4.7.9, 2007-12-05 ------------------------ - fixed a security issue (SQL injection), see SA-2007-031 Drupal 4.7.8, 2007-10-17 ------------------------ - fixed a security issue (HTTP response splitting), see SA-2007-024 - fixed a security issue (Cross site scripting via uploads), see SA-2007-026 - fixed a security issue (API handling of unpublished comment), see SA-2007-030 Drupal 4.7.7, 2007-07-26 ------------------------ - fixed security issue (XSS), see SA-2007-018 Drupal 4.7.6, 2007-01-29 ------------------------ - fixed security issue (code execution), see SA-2007-005 Drupal 4.7.5, 2007-01-05 ------------------------ - Fixed security issue (XSS), see SA-2007-001 - Fixed security issue (DoS), see SA-2007-002 Drupal 4.7.4, 2006-10-18 ------------------------ - Fixed security issue (XSS), see SA-2006-024 - Fixed security issue (CSRF), see SA-2006-025 - Fixed security issue (Form action attribute injection), see SA-2006-026 Drupal 4.7.3, 2006-08-02 ------------------------ - Fixed security issue (XSS), see SA-2006-011 Drupal 4.7.2, 2006-06-01 ------------------------ - Fixed critical upload issue, see SA-2006-007 - Fixed taxonomy XSS issue, see SA-2006-008 - Fixed a variety of small bugs. Drupal 4.7.1, 2006-05-24 ------------------------ - Fixed critical SQL issue, see SA-2006-005 - Fixed a serious upgrade related bug. - Fixed a variety of small bugs. Drupal 4.7.0, 2006-05-01 ------------------------ - Added free tagging support. - Added a site-wide contact form. - Theme system: * Added the PHPTemplate theme engine and removed the Xtemplate engine. * Converted the bluemarine theme from XTemplate to PHPTemplate. * Converted the pushbutton theme from XTemplate to PHPTemplate. - Usability: * Reworked the 'request new password' functionality. * Reworked the node and comment edit forms. * Made it easy to add nodes to the navigation menu. * Added site 'offline for maintenance' feature. * Added support for auto-complete forms (AJAX). * Added support for collapsible page sections (JS). * Added support for resizable text fields (JS). * Improved file upload functionality (AJAX). * Reorganized some settings pages. * Added friendly database error screens. * Improved styling of update.php. - Refactored the forms API. * Made it possible to alter, extend or theme forms. - Comment system: * Added support for "mass comment operations" to ease repetitive tasks. * Comment moderation has been removed. - Node system: * Reworked the revision functionality. * Removed the bookmarklet code. Third-party modules can now handle This. - Upgrade system: * Allows contributed modules to plug into the upgrade system. - Profiles: * Added a block to display author information along with posts. * Added support for private profile fields. - Statistics module: * Added the ability to track page generation times. * Made it possible to block certain IPs/hostnames. - Block system: * Added support for theme-specific block regions. - Syndication: * Made the aggregator module parse Atom feeds. * Made the aggregator generate RSS feeds. * Added RSS feed settings. - XML-RPC: * Replaced the XML-RPC library by a better one. - Performance: * Added 'loose caching' option for high-traffic sites. * Improved performance of path aliasing. * Added the ability to track page generation times. - Internationalization: * Improved Unicode string handling API. * Added support for PHP's multibyte string module. - Added support for PHP5's 'mysqli' extension. - Search module: * Made indexer smarter and more robust. * Added advanced search operators (phrase, node type, etc.). * Added customizable result ranking. - PostgreSQL support: * Removed dependency on PL/pgSQL procedural language. - Menu system: * Added support for external URLs. - Queue module: * Removed from core. - HTTP handling: * Added support for a tolerant Base URL. * Output URIs relative to the root, without a base tag. Drupal 4.6.11, 2007-01-05 ------------------------- - Fixed security issue (XSS), see SA-2007-001 - Fixed security issue (DoS), see SA-2007-002 Drupal 4.6.10, 2006-10-18 ------------------------- - Fixed security issue (XSS), see SA-2006-024 - Fixed security issue (CSRF), see SA-2006-025 - Fixed security issue (Form action attribute injection), see SA-2006-026 Drupal 4.6.9, 2006-08-02 ------------------------ - Fixed security issue (XSS), see SA-2006-011 Drupal 4.6.8, 2006-06-01 ------------------------ - Fixed critical upload issue, see SA-2006-007 - Fixed taxonomy XSS issue, see SA-2006-008 Drupal 4.6.7, 2006-05-24 ------------------------ - Fixed critical SQL issue, see SA-2006-005 Drupal 4.6.6, 2006-03-13 ------------------------ - Fixed bugs, including 4 security vulnerabilities. Drupal 4.6.5, 2005-12-12 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.6.4, 2005-11-30 ------------------------ - Fixed bugs, including 3 security vulnerabilities. Drupal 4.6.3, 2005-08-15 ------------------------ - Fixed bugs, including a critical "arbitrary PHP code execution" bug. Drupal 4.6.2, 2005-06-29 ------------------------ - Fixed bugs, including two critical "arbitrary PHP code execution" bugs. Drupal 4.6.1, 2005-06-01 ------------------------ - Fixed bugs, including a critical input validation bug. Drupal 4.6.0, 2005-04-15 ------------------------ - PHP5 compliance - Search: * Added UTF-8 support to make it work with all languages. * Improved search indexing algorithm. * Improved search output. * Impose a throttle on indexing of large sites. * Added search block. - Syndication: * Made the ping module ping pingomatic.com which, in turn, will ping all the major ping services. * Made Drupal generate RSS 2.0 feeds. * Made RSS feeds extensible. * Added categories to RSS feeds. * Added enclosures to RSS feeds. - Flood control mechanism: * Added a mechanism to throttle certain operations. - Usability: * Refactored the block configuration pages. * Refactored the statistics pages. * Refactored the watchdog pages. * Refactored the throttle module configuration. * Refactored the access rules page. * Refactored the content administration page. * Introduced forum configuration pages. * Added a 'add child page' link to book pages. - Contact module: * Added a simple contact module that allows users to contact each other using email. - Multi-site configuration: * Made it possible to run multiple sites from a single code base. - Added an image API: enables better image handling. - Block system: * Extended the block visibility settings. - Theme system: * Added new theme functions. - Database backend: * The PEAR database backend is no longer supported. - Performance: * Improved performance of the forum topics block. * Improved performance of the tracker module. * Improved performance of the node pages. - Documentation: * Improved and extended PHPDoc/Doxygen comments. Drupal 4.5.8, 2006-03-13 ------------------------ - Fixed bugs, including 3 security vulnerabilities. Drupal 4.5.7, 2005-12-12 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.5.6, 2005-11-30 ------------------------ - Fixed bugs, including 3 security vulnerabilities. Drupal 4.5.5, 2005-08-15 ------------------------ - Fixed bugs, including a critical "arbitrary PHP code execution" bug. Drupal 4.5.4, 2005-06-29 ------------------------ - Fixed bugs, including two critical "arbitrary PHP code execution" bugs. Drupal 4.5.3, 2005-06-01 ------------------------ - Fixed bugs, including a critical input validation bug. Drupal 4.5.2, 2005-01-15 ------------------------ - Fixed bugs: a cross-site scripting (XSS) vulnerability has been fixed. Drupal 4.5.1, 2004-12-01 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.5.0, 2004-10-18 ------------------------ - Navigation: * Made it possible to add, delete, rename and move menu items. * Introduced tabs and subtabs for local tasks. * Reorganized the navigation menus. - User management: * Added support for multiple roles per user. * Made it possible to add custom profile fields. * Made it possible to browse user profiles by field. - Node system: * Added support for node-level permissions. - Comment module: * Made it possible to leave contact information without having to register. - Upload module: * Added support for uploading documents (includes images). - Forum module: * Added support for sticky forum topics. * Made it possible to track forum topics. - Syndication: * Added support for RSS ping-notifications of http://technorati.com/. * Refactored the categorization of syndicated news items. * Added a URL alias for 'rss.xml'. * Improved date parsing. - Database backend: * Added support for multiple database connections. * The PostgreSQL backend does no longer require PEAR. - Theme system: * Changed all GIFs to PNGs. * Reorganised the handling of themes, template engines, templates and styles. * Unified and extended the available theme settings. * Added theme screenshots. - Blocks: * Added 'recent comments' block. * Added 'categories' block. - Blogger API: * Added support for auto-discovery of blogger API via RSD. - Performance: * Added support for sending gzip compressed pages. * Improved performance of the forum module. - Accessibility: * Improved the accessibility of the archive module's calendar. * Improved form handling and error reporting. * Added HTTP redirects to prevent submitting twice when refreshing right after a form submission. - Refactored 403 (forbidden) handling and added support for custom 403 pages. - Documentation: * Added PHPDoc/Doxygen comments. - Filter system: * Added support for using multiple input formats on the site * Expanded the embedded PHP-code feature so it can be used everywhere * Added support for role-dependent filtering, through input formats - UI translation: * Managing translations is now completely done through the administration interface * Added support for importing/exporting gettext .po files Drupal 4.4.3, 2005-06-01 ------------------------ - Fixed bugs, including a critical input validation bug. Drupal 4.4.2, 2004-07-04 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.4.1, 2004-05-01 ------------------------ - Fixed bugs: no critical bugs were identified. Drupal 4.4.0, 2004-04-01 ------------------------ - Added support for the MetaWeblog API and MovableType extensions. - Added a file API: enables better document management. - Improved the watchdog and search module to log search keys. - News aggregator: * Added support for conditional GET. * Added OPML feed subscription list. * Added support for , , , , and . - Comment module: * Made it possible to disable the "comment viewing controls". - Performance: * Improved module loading when serving cached pages. * Made it possible to automatically disable modules when under heavy load. * Made it possible to automatically disable blocks when under heavy load. * Improved performance and memory footprint of the locale module. - Theme system: * Made all theme functions start with 'theme_'. * Made all theme functions return their output. * Migrated away from using the BaseTheme class. * Added many new theme functions and refactored existing theme functions. * Added avatar support to 'Xtemplate'. * Replaced theme 'UnConeD' by 'Chameleon'. * Replaced theme 'Marvin' by 'Pushbutton'. - Usability: * Added breadcrumb navigation to all pages. * Made it possible to add context-sensitive help to all pages. * Replaced drop-down menus by radio buttons where appropriate. * Removed the 'magic_quotes_gpc = 0' requirement. * Added a 'book navigation' block. - Accessibility: * Made themes degrade gracefully in absence of CSS. * Grouped form elements using '
' and '' tags. * Added '