Tag1 Consulting: On 20 Years of Drupal - an interview with James Rutherford

Planet Drupal - Mon, 2021/10/18 - 4:07pm

Tag1 continues its series celebrating 20 Years of Drupal in this Tag1 Team Talk with Pantheon’s Senior Manager of Strategic Partnerships, James Rutherford. Before moving to Pantheon, James was a long time member of Mediacurrent, one of the largest agencies working with and creating Drupal websites. James joins Tag1 Managing Director Michael Meyers for another trip down the halls of Drupal history, from early versions of Drupal, to today’s highly experienced agencies. James' initial Drupal experience was with Georgia Public Broadcasting. Over the years, James has worked with many clients - some of whom moved to Drupal from their homegrown CMS, to major launches such as weather.com. Join us for this talk, and learn more about how it’s not just the code - it’s the community that makes Drupal successful. --- For a transcript of this video, see Transcript - 20 years of Drupal with James Rutherford. --- Photo by Moritz Kindler on Unsplash

Read more lynette@tag1co… Mon, 10/18/2021 - 07:07
Categories:

OpenSense Labs: Drupal accessibility modules: The essentials

Planet Drupal - Mon, 2021/10/18 - 10:29am
Drupal accessibility modules: The essentials Maitreayee Bora Mon, 10/18/2021 - 16:52

Web accessibility is always prioritized by Drupal to provide its potential users a decent user-experience. Without any fail, Drupal has succeeded in providing an extensive range of modules that can be downloaded according to user convenience. This platform has consistently put efforts in bringing significant improvements in all its versions when it comes to accessibility modules. So, with this article, I will try to give you an insight of some of the recently refreshed or newly released Drupal modules that will efficiently help you in your various challenging projects. You will also get the answer to a common question that often comes to your mind, “Why Drupal for accessibility”?

To begin with, for your better understanding, I am describing the Drupal web accessibility modules by categorizing them based on their different functionalities. 


Accessibility Auditing

Under this category Drupal has a sufficient number of modules that help in offering you an enhanced accessibility audit for your ambitious projects.


Editoria11y Accessibility Checker

Editoria11y can be termed as a user-friendly checker that provides support to the content authors and editors. Compatible with Drupal 9, it also looks after the three most vital needs of the content authors. 

  • It makes sure that the spellcheck is constantly running and rectifies the content mistakes when it occurs.
  • It makes sure that no mistakes take place in terms of Views, Layout Builder, Media and other modules, as it runs in context with them and it's checkers are also constantly on. 
  • It prioritizes content issues by fixing them, also ensuring that the page editors do not omit any issue that is easily rectifiable.
Monsido Tools

Monsido helps in smooth optimization of your website, also focusing on web governance, quality assurance, and accessibility compliance. Since accessibility laws differ from country and sector, this module helps in validating your site against the international standard, the WCAG 2.1. This module which is compatible with Drupal 9 provides your site with the scanning facility to identify any difficulties that might further hamper accessibility, and also enhances your search engine rankings by recognizing SEO errors. 

Siteimprove

Known as the most comprehensive cloud-based Digital Presence Optimization (DPO) software, Siteimprove enables you in creating high quality content, editing efficiently, driving better traffic, measuring digital performance and working towards regulatory compliance. Siteimprove plugins help in filling the gap between Drupal and the Siteimprove Intelligence Platform, also empowering contributors to test, fix and optimize their work without any hurdles. This module has Drupal 9 compatibility which is an added advantage.

CKEditor Accessibility Auditor

CKEditor Accessibility Auditor is a module that has Drupal 9 compatibility and it functions by clicking a button which runs the HTML_CodeSniffer Accessibility Auditor on the source code of the current content. With this module, you get to access a detailed view on any type of specific error, convenient success criteria and suggestions of techniques, and also upon what exactly triggered the error, once you run the auditor. 

CKEditor Accessibility Checker

CKEditor Accessibility Checker helps in enabling the Accessibility Checker plugin from CKEditor.com in your WYSIWYG. You can inspect the accessibility level of content that is generated in CKEditor, and resolve any accessibility concerns at the earliest. 

Sitemorse Lite - a11y Audit

Integrating Drupal with the inCMS service, this module enables to run the on-page accessibility audits and view results from the Drupal Administration interface. Sitemorse along with Ixis bring you a Drupal connector that provides the facility of checking your content quality before it gets published. Additionally, this module is compatible with Drupal 9 as well. With this module, the content editors can have more command over their content by making it more SEO friendly, accessible and resolving any issues that adversely affect the customer experience. 

Accessibility

The Accessibility module is a great support for the content authors and theme developers as it enables them to make their websites accessible to the users regardless of their capabilities and the technologies they prefer. It offers a set of available Accessibility tests that helps in scrutinizing the content for any accessibility errors that are published by the editors. Since this module uses the QUAIL jQuery plugin, it is not covered by Drupal's security advisory policy.

Accessibility Scanner

The Accessibility Scanner module enables you to use Drupal along with Axe toolset to opt for web accessibility scans on local and remote websites within the Drupal admin interface. It is compatible with Drupal 9 but isn’t covered by Drupal's security advisory policy.

USWDS Ckeditor Integration

The USWDS library has become an essential requirement for government websites. This module majorly focuses on making a user to smoothly utilize and inject USWDS classes and components into the ckeditor without even opening the source event for a single time. The USWDS Ckeditor Integration module is compatible with Drupal 9.

Quail API

This module is a complete rework of parts of the Drupal 6 project known as “Accessible Content”. It offers an API for the 3rd-party Quail Library to Drupal modules. Quail API has Drupal 8 alpha version as well.

Site builders

This is the second category under which Drupal offers exclusive modules to its users which enable them to design and create functional sites without the need of manual code editing.


Automatic Alternative Text

Automatic Alternative Text module allows you to automatically generate an image caption, while none of the Alternative Text has been given by the users. It is made possible by using the Microsoft Azure Cognitive Services API. This module offers one or even more descriptions of an image that are ordered as per their confidence. Although the default descriptions are in English, there is an option of translating them into other languages. This module is also compatible with Drupal 9. 

iFrame Title Filter

To comply with WCAG guidelines, the iFrame Title Filter helps in ensuring that embedded tags include a title attribute. When there is no title attribute available in an iFrame, this particular filter parses the src attribute's URL and also adds a title attribute which reads "Embedded content from [url]". There are many Drupal filters that generate iframes, for example, media, video_filter but their compliance with iFrame accessibility needs differs. It is compatible with Drupal 9.

Text field formatter

Text field formatter module which is compatible with Drupal 9 can be termed as the extension of the plain text formatter. The main concept of creating this module came from another similar module known as String field formatter. The main features of Text field formatter include: 

  • Adding additional wrapper to the text field.
  • Adding classes to this wrapper.
  • Adding any of the attributes to this wrapper and 
  • Ability to override a link label (tokens are supported).

This module is compatible with Linked Field and Layout Builder. 

Field Display Kit

The Field Display Kit module enables fine tune rendering of any field in the system. The main features of this module consist of:

  • Independently changing title (label) of the field in every display (identified as view mode).
  • Ability to change the title (label) element tag, along with adding classes and some other attributes to the wrapper.
  • Ability to change the wrapper element of the field, and also add classes and other attributes to the wrapper.
  • Ability to change the wrapper element of every individual field item, and also add classes and other attributes to the wrapper and
  • Ability to link any field item. Therefore, to build the link, tokens like [node:url] can be used. 

When authorized, this module helps in facilitating configurations for each field on each entity of your site. It works with fields which are normally displayed or with Layout Builder as well. It is compatible with Drupal 9 but isn’t covered under Drupal’s security advisory policy.

Block ARIA Landmark Roles

Taking inspiration from Block class, the Block ARIA Landmark Roles module prioritizes on adding additional elements to the block configuration forms that helps users to assign a ARIA landmark role and/or ARIA labels to a block. It is compatible with Drupal 9.

A11Y Paragraphs Tabs

With the A11Y Paragraphs Tabs module, you get the authority to smoothly add tabs through paragraphs to your content which complies with the standards of Accessibility (A11Y). The paragraphs which are already configured, to provide you tabs on desktop and an accordion on mobile are added by this module. There is no need to configure anything from your end. The three new paragraphs created by this module consist of:

  • A11Y Paragraphs Tabs Wrapper
  • A11Y Paragraphs Tabs Panel
  • A11Y Paragraphs Tabs Content

The wrapper (A11Y Paragraphs Tabs Wrapper) consists of the tab panel (A11Y Paragraphs Tabs Panel) that enables you to add tabs according to your convenience. On the other hand, the tabs panel (A11Y Paragraphs Tabs Panel) consists of a paragraph in which you are able to add the paragraphs you would prefer to use inside the tab panel. It is compatible with Drupal 9.

Decorative Image Widget

The Decorative Image Widget proves to be a solution for the site builders that prefers the option of leaving an image's alternative text blank explicit (by checking a new "Decorative" checkbox) instead of implicit (by simply leaving the alt text field blank). To put it simply, the editors are made to affirm the reason behind leaving alt text empty, which is because of the decorative image that needs to be hidden from the screen readers. The primary features of this module consist of: 

  • Providing an option of a “Decorative” checkbox to image widgets that has to be checked if the user chooses to leave the alt text empty.
  • Forcing users to focus upon alternative text instead of leaving it blank. 
  • Working with any existing image widget which extends from core's default. For example, it can be used with the default image widget or the one offered by Image Widget Crop.
  • Lastly, there is no need for any kind of data model changes, since the position of the state of the "Decorative" checkbox is completely inferred from the value of the alt text.

This module is compatible with Drupal 9 but isn’t covered under Drupal’s security advisory policy.

A11Y: Form helpers

A11Y: Form helpers module helps you to make forms more accessible in Drupal. Following are the modules features: 

  • You do not need any HTML5 validation.
  • You can include readable inline error messages for screen readers.
  • You can also put in pre-filled attributes to certain form elements.

This module is compatible with Drupal 9 but isn’t covered under Drupal’s security advisory policy.

CKEditor Abbreviation

CKEditor Abbreviation module helps you in adding a button to CKEditor for inserting and editing abbreviations. This module also has an added benefit i.e., the availability of a link to edit the abbreviation. It is compatible with Drupal 9.

Node Link Report

Since links within content can take various forms in WYSIWYG, such as link fields, free text, entity reference fields and many more. It might be a difficult task to ensure that links are not broken in your content. But the Node Link Report module offers you a block which displays a link report also including all the links in the rendered note. It enables you to display the links on node view, node edit, and node preview as well. Also, it is compatible with Drupal 9.

Devel Accessibility

The Devel Accessibility module offers support to the module developers by providing them an API for aria-live region update announcements. It is compatible with Drupal 9.

CKEditor Balloon Panel

CKEditor Balloon Panel module allows the Ballon Panel plugin from CKEditor.com in your WYSIWYG editor. The Balloon Panel plugin offers the capacity for creating a floating, balloon-shaped container that is capable enough of presenting content at the preferred position in the document. The CKEditor Accessibility Checker uses this module to create the floating panels with accessibility tips. 

Developers

Under the third category, Drupal provides significant modules to the developers that helps in enhancing their experience in building well-designed and user-friendly websites. 


WCAG Drawer

The WCAG Drawer module is compatible with Drupal 9 and has Drupal 8 alpha version. Although it isn’t covered under Drupal's security advisory policy, you can take the benefit of utilizing the framework offered by this module in order to create easily accessible drawers.

Color Swatch

Color Swatch module is considered as an alternative to the Drupal Core color module and color scheme. This module prioritizes supplying a css with the preferred colors. And it is also said to be flexible as the generated css isn’t compiled in the form of a file but rather added as an inline css. Additionally, the css operates via rendering of a twig file with a theme function that provides more control from preprocess functions, and also twig template overrides on a theme level. This module is compatible with Drupal 9 but isn’t covered under Drupal’s security advisory policy.

End-users

Under this category, the end-users of Drupal are offered with some unique modules that enable them to witness an excellent experience while building their respective projects.


Accessibility Enabler

People with any kind of disability can easily consume and navigate sites in a very effective way with Accessibility Enabler. It also meets the differently abled population in using the preferred content, enhancing accessibility, and increasing the sales and conversation. It helps in making your site more compliant with accessibility regulations of your country, preventing lawsuits and heavy penalties. You get an opportunity to build your brand among your customers, and also exhibit social responsibility by increasing accessibility via this module. The key features includes:

  • Availing accessibility tools for each and every disability.
  • Providing intelligent design for mobile.
  • Availing accessibility presets for each persona.
  • Option to put accessibility triggers anywhere.
  • Ability to change accessibility trigger button position.
  • Facility of making your own custom trigger.
  • Multiple color theme options.
  • Freedom to express your commitment towards accessibility.
  • Enhancing your site navigation to the best of its ability and
  • Ability to return to the top of the page easily.

This module isn’t covered under Drupal’s security advisory policy.

Civic Accessibility Toolbar

Civic Accessibility Toolbar facilitates a block with accessibility utilities to enable end-users switch theme versions with higher color contrast and also change font size of text. You can create a block with both or one of the utilities to allow visually impaired users access Drupal sites without any difficulty. It is further tested with Bartik, Garland, Zen Starterkit, Stark, Oliveiro themes and is compatible with Drupal 9.

Text Size

For a better web accessibility, the text size module exhibits an adjustable text size changer or a zoom function on the page. Although, in Firefox 3, the zoom function is comparable to the text zoom function, this module also resizes vector images, variable pixel images and variable media objects. 

Text Resize

The Text Resize module provides a great support for the visually impaired people by increasing the accessibility of the pages with necessary text size adjustments. By using jQuery and the jQuery Cookie plugin, this module creates a Drupal block which can be themed. Moreover, it gives the option to resize  images as well. Also, never forget to enable the "Text Resize" block of your theme to help the block appear.

High contrast

With the High contrast module, you are able to smoothly switch the active theme and a high contrast version of it. You will only need to press the tab on the keyboard after installing the module and will then get the high contrast pop-up link on the screen. It is compatible with Drupal 9.

Voice Search Redirect

The Voice Search Redirect module enables you to redirect on any page with the help of voice command. And there is no need to click manually on the menu. This module isn’t covered under Drupal’s security advisory policy.

Fluidproject UI Options

Fluidproject UI Options offers accessibility options to its users to modify a page's font size, font style, link style, line height and contrast using cookies. But there are some limitations such as:

  • Internationalization is done through JSON files within the module folder instead of the Drupal interface. 
  • Although this module is tested successfully with the most popular themes, some of the themes like Bootstrap require additional CSS for font-sizing or line heights to work. 
  • The contrast settings do not prefer working for elements that use CSS gradients.

 It is compatible with Drupal 9.

Style Switcher

The Style Switcher module empowers themers to create themes with alternate stylesheets, and site builders to add other alternate stylesheets in the admin section. It provides all those styles to site visitors in the form of a list which consist of links in a block. This helps the site visitors to select the style of the site they prefer. Cookies are being used by this module so that when people return to the site or even visit a different page they still get their preferred style. It is compatible with Drupal 9.

Generic HTML validations

The modules under this category enhance the overall accessibility for screen readers and other non-browser devices.


htmLawed

Along with accessibility, the htmLawed module also provides you security. This module restricts and purifies HTML code for compliance with the site administrator policy and standards and for security by using the htmLawed PHP library. In addition to that, you are allowed to autocorrect and beautify HTML markup, restrict HTML elements, attributes and URL protocols in the input. It helps in balancing tags and ensuring that HTML elements are well nested, , transforms deprecated tags and attributes, and many more. It is compatible with Drupal 9.

HTML Purifier

Similar to the htmLawed module, the HTMLPurifier library is a great mix of both accessibility and security. Along with removing malicious code from your site, it also ensures your site with W3C standards compliance. Since this module works perfectly with WYSIWYG editors, it proves to be a great fit for Drupal as well. Also, options like custom fonts, tables, inline styling, and many more are offered by this module. It is compatible with Drupal 9.

Now, what do you think, is Drupal accessible? Undoubtedly, YES, as all the above Drupal accessibility modules prove so. 

Learn more about accessibility and what Drupal has to offer:

Conclusion

With the above mentioned Drupal module list, I tried providing you the essential modules that can efficiently help your developers, content editors and site visitors with better web accessibility. So, now it’s completely up to you how you choose the right modules that fits your project needs and expectations. Without waiting further, take your pick!

blog banner blog image Drupal Drupal 8 Drupal 9 Accessibility Blog Type Articles Is it a good read ? Off
Categories:

Ny Media: Entity bundle classes and its possibilities

Planet Drupal - Mon, 2021/10/18 - 12:45am
Entity bundle classes and its possibilities alf.harald October 18, 2021

Projects vary vastly in terms of complexity. Sometimes there are just one or two entities, sometimes a standard product structure. But what happens when you have several layers of interconnected nodes or terms that rely on each other via custom entity reference fields? My take is, it may (will) tip over to becoming messy code, very fast.

Say we are doing an online class. We have 3 entities:

  1. A group of people
  2. A participant in this group
  3. A physical person (which can be in multiple groups)

And let's say we have this structure organized as nodes, with entity reference fields defining the connections.

Core & contrib entity behavior

Let's say that we are preparing some data from this structure. Based on a participant, we are going to find the description of the group to display in some template somwehere. Just traversing the fields of nodes, we would do this:

// Get the description and location of the group $group_participant = $a_node; $group = $group_participant->field_group_reference->entity->field_text->value; $location = $group_participant->field_group_reference->entity->field_location->value;

This is the most standard thing to see in custom Drupal code when traversing entity reference fields. Alas, very unfriendly code in terms of readability, eh? In this case, we are using core node entities with two different bundles. If we had spent time on creating custom entities, we could of course do like so:

// Get description and location for the group $participant = $custom_entity; $participant->getGroup()->getDescription(); $participant->getGroup()->getLocation();

This looks a lot more intuitive, right? And, we can use such modern things as code completion in editors like PHPStorm to traverse the entity objects. But this approach does not apply to taxonomies, media entities, nodes, or any other entities that a core or contrib module provides.

Here is another example. References between nodes and taxonomies are usually one-way only. The participant can be a member of several groups. Let's say we know only of a participant, but we want to know in what groups this participant is in? Using an injected service, you would most probably do something like this, using an entityQuery in the background:

// Find the groups that this participant is in. $participant = $a_node; /** @var MyService $some_service */ $groups = $some_service->getGroupsByParticipant($participant);

This is type-completion capable, provided that you add that service in every class you need it. But why on earth, why would you need a service to find the groups? It should be as simple as:

$participant->getGroups($status);

Right now, we can only do clean code like this in two scenarios:

  1. By overriding the node class in its entirety, once and for all
  2. By creating a custom entity module

Using option 1, if you override the entire class completely, we would get this scenario:

// Get the Schroedinger's participant. $participant = $node; // Is it a participant? let's find out. $is_participant = $participant->isParticipant(); // Or maybe like this: $is_participant = $participant->getType() == 'participant'; // Now it is a real participant.

PHP would know what type it is, but the code completion won't know that because we cannot differentiate on bundles. So on the same object, we could both do:

$node->isGroupParticipant(); // would be false $node->isParticipant(); // would be true

Using option 2, in many cases, there are two or three commands that we'd like to add to each bundle of a node. Creating a custom entity just to make some small alterations to the functionality of the node system is in most cases completely overkill. It is loads of custom code that can easily be avoided if we only could create custom entity classes for those bundles.

Enter the savior patch

The patch is here: https://www.drupal.org/node/2570593

This patch provides a way to add entity bundle classes, which allows us to create customized classes that applies to one single bundle. To use it, we use hook_entity_bundle_info_alter to register the bundles with its separate classes:

function fabulous_module_entity_bundle_info_alter(&$bundles) { $bundles['node']['participant']['class'] = ParticipantNode::class; $bundles['node']['group']['class'] = GroupNode::class; };

Alas, we create two classes, one for the group:

class GroupNode extends Node { }

And one for the participant:

class ParticipantNode extends Node { }

Or instead, you can of course be a pro and describe your custom class in an interface:

class ParticipantNode extends Node implements ParticipantNodeInterface { }

 

The important thing here is, the class *must* extend the registered entity class, in this case, Node. And that is basically it.

You can now start building functionality for each of the bundles separately. Here is the magic, let's say you load a node:

// If we load.. $id = $a_participant $node = Node::load($id); if ($node instanceOf ParticipantNode) { // Hooray, this is true! }

Instead of receiving the standard Node object, you'll get your own ParticipantNode object!

Now, to make the example above work, instead of remembering field names, add this to the group node class object:

public function getParticipant() { return $this->field_participant->entity; }

And you can add this to the participant node object (provided it is a 1-many relationship):

public function getGroups($status) { $result = $this->entityQuery('node') ->condition('type', 'group') ->condition('nid', $this->id()) ->condtition('field_group_status', $status) ->execute(); return Node::load(reset($result)); }

Then you can basically go on an eternal trail of type-completed entities, wheter it is nodes, users or taxonomies:

$participant->getGroupParticipant()->getGroup()->getMunicipality()->getRegion(); Not just nodes

Any entity bundle, core or contrib, can get an entity bundle class. Taxonomies, nodes, media, files.

$term->reIndexReferencedEntities(); $comment->whatever(); $file->doSomeOtherFunkyBusiness(); // More examples here!! It's nice, but be careful

Using the approach that this patch provides, there are a few dos and dont's.

First of all, a single bundle type can only be overridden once. So, this approach is best used:

  • In the semi-lawless world of custom project-specific code
  • Very carefully in reusable code, but only where the entity type is defined by the module itself

So the limit on this approach is primarily for custom projects. But, that is also where code tends to get most messy.

Categories:

#! code: Drupal 9: Loading All Routes From A Module

Planet Drupal - Sun, 2021/10/17 - 7:33pm

When creating Drupal modules I like to keep the hard coded components to a minimum. This helps when changing parts of the module in the future as hard coded links and other elements will require manual intervention and slow down maintenance. Sometimes, though, this isn't an option as you just need to have a few routes in your *.routing.yml file that point to controllers or forms within your module.

I had a situation today where I was looking to load all of the routes that are contained in a module. I could then construct a page of links that would handily point to different parts of the module or feed those links into a sitemap. This meant that I wouldn't need to hard code this list into a controller, I just needed to load all the routes and print that list out instead. Especially handy if I ever added or removed a route as that would mean that list would update without me having to do it manually.

Using Core Services

As it happens, Drupal doesn't have a service that allows you to search for routes that have a similar signature or structure. There are a couple of things that look like they might work, but end up not being what I was looking for. I'll go through them here for completeness.

The first option I found was the getRouteByName() method from the router.route_provider service. This does a one-to-one match of a given route against the routes you have within a site. Because the searching is done as lookup on an array of routes the method doesn't accept wildcard searching.

The following example would only retrieve a single route.

Read more.

Categories:

Chapter Three: Deploying an Ecosystem to Serve the Public: A Strategy for California’s Trial Courts

Planet Drupal - Fri, 2021/10/15 - 8:34pm
Overview

We’ve been working over the last year to help the Judicial Council of California move the infrastructure and design of various California court sites (as we've said elsewhere, the California Judicial Branch is the largest legal system in the country). This ongoing effort is grounded by several desired outcomes:

Categories:

Agiledrop.com Blog: Top Drupal blog posts from September 2021

Planet Drupal - Fri, 2021/10/15 - 9:57am

September gave us a lot of interesting Drupal-related news and articles. Here’s our recap of some of our favorite posts.

READ MORE
Categories:

mcdruid.co.uk: Assessing the likelihood of a Drupal exploit of Ghostscript Zero Day CVE-2021-3781

Planet Drupal - Thu, 2021/10/14 - 4:01pm

My colleagues and I in the Drupal Security Team recently became aware of a Zero Day RCE vulnerability in Ghostscript. This was later assigned CVE-2021-3781.

At least one viable Proof of Concept (PoC) was made public not long after the Zero Day which illustrated Scalable Vector Graphics (SVG) handling in Imagemagick being used as an attack vector.

Drupal core doesn't use Ghostscript directly, but it's fairly common for Drupal sites to use Imagemagick in some form.

As such, we began to look at how an attacker might try to exploit the Ghostscript vulnerability via SVG and Imagemagick on a Drupal site.

Our goal in such an investigation is to determine whether it would be sufficiently easy, with a common Drupal configuration, that we ought to issue a Public Security Announcement (PSA) warning Drupal users and providing any mitigation steps they might be able to take until an upstream fix was available.

Here's a quick write-up of some of the investigation I did.

We'd determined that SVG is not in the default list of permitted image extensions in Drupal.

However, the PoC write up showed Imagemagick being tricked into parsing an SVG with a fake jpg extension.

I verified that in Drupal 9 the built-in file type detection prevented a malicious SVG from being smuggled into an upload with a permitted file extension.

Drupal 7 core by itself doesn't have this protection, although modules are available that add e.g. mime-type sniffing such as https://www.drupal.org/project/mimedetect.

How might an attacker try to take advantage of this?

Drupal core has built-in support for "image styles" which can perform preset transformations on uploaded images. For example, a thumbnail image is often prepared to show in previews of articles.

So a Drupal site which uses Imagemagick to handle image processing (GD is the default in core but alternative "image toolkits" are available) might be exploited if an attacker could upload a malicious SVG and have the site try to perform an image manipulation on this, such as resizing it to prepare a thumbnail. This sort of functionality is quite common - for example - when a newly registered user uploads a profile picture. That would make a good target for an attacker.

I ran through what happens if you smuggle a malicious SVG masquerading as a permitted image type into a D7 upload field. As Drupal tries to record the metadata about the image, it makes a series of API calls which end up invoking image_get_info() which in turn calls image_toolkit_invoke('get_info', $image).

At that point both the default GD and the alternative Imagemagick toolkits call PHP's built in getimagesize() on the image. If the image in question is actually an SVG, this will typically return FALSE.

That means that Drupal will not attempt to perform a transformation on the image - for example to create a thumbnail - because it has not been able to derive the image's metadata including the dimensions of the original.

Even on a site which has explicit support for the uploads of SVG files (and you might argue that would be quite unusual for e.g. user profile pics) - because of the nature of SVGs - Drupal's default behaviour of deriving some image metadata and then deciding whether image transformations should be performed doesn't work like it does for e.g. jpg and png files.

At least one popular SVG contrib module tries to derive an SVG image's dimensions by parsing it as XML, but the malicious files produced by the PoC are not correctly formed for this.

It doesn't really make sense to try and run an SVG through Imagemagick's convert to create a thumbnail or other derivative of a different size - that's sort of the whole point of Scalable Vector Graphics.

This investigation had focused on Drupal 7, but it looked like Drupal 9 would be - if anything - better protected because of its built-in file type detection.

One popular configuration to support SVGs in D8/9 uses a vendored library to validate the XML and rejected the PoC's malicious SVG during upload validation.

There are a handful of different ways (as is often the case in Drupal) to set up SVG support in Drupal 9, but in one discussion about SVG support, phenaproxima (one of the media module's developers) stated:

The Media module itself has no opinion about SVG images. The Image module, on the other hand, doesn't normally allow SVG to be uploaded into any image field, due to the various security and integration issues (i.e., image styles).

So it really didn't look great for our potential attacker trying to exploit Drupal's image styles (automatic image transformations) via SVG and an Imagemagick toolkit to take advantage of the Ghostscript Zero Day.

As it looked like it wouldn't be easy to exploit this in what we'd consider a common configuration of Drupal, we decided against issuing a PSA.

This is not to say it's inconceivable that the vulnerability could be exploited on a Drupal site out there somewhere, but it would likely be considered an "edge case".

It's also possible that I got some of this wrong. If you know of any significant details I missed which mean that exploitation might be easier or more likely than my analysis suggested, please contact me or the Drupal Security Team privately in the first instance. We will credit any researchers who provide information that leads to us issuing a Security Advisory.

Thanks to Greg Knaddison (greggles) for (suggesting and) reviewing this post.

Tags: drupal-planetsecurity
Categories:

DrupalCon News: State of Drupal presentation at DrupalCon Europe

Planet Drupal - Thu, 2021/10/14 - 10:41am

4-7 October, Drupalists around the world gathered virtually for DrupalCon Europe. As a DrupalCon tradition, Dries delivered his State of Drupal keynote.

Categories:

Drupal blog: State of Drupal presentation (October 2021)

Planet Drupal - Thu, 2021/10/14 - 10:08am

This blog has been re-posted and edited with permission from Dries Buytaert's blog.

Last week, Drupalists around the world gathered virtually for DrupalCon Europe 2021.

In good tradition, I delivered my State of Drupal keynote. You can watch the video of my keynotedownload my slides (156 MB), or read the brief summary below.

I talked about end-of-life schedules for various Drupal versions, delivered some exciting updates on Drupal 10 progress, and covered the health of the Drupal community in terms of contributor dynamics. Last but not least, I talked about how we are attracting new users and contributors by making it much easier to contribute to Drupal.

Drupal 7 and Drupal 8 end-of-life

If you are using Drupal 7 or Drupal 8, time is of the essence to upgrade to Drupal 9. Drupal 7 end-of-life is scheduled for November 2022.

Drupal 8's end-of-life is more pressing, as it is scheduled for November 2nd, 2021 (i.e. in less than a month). If you are wondering why Drupal 8 is end-of-life before Drupal 7, that is because we changed how we develop Drupal in 2016. These changes have been really great for Drupal. They've made it much easier to upgrade to the latest version without friction.

As a community, we've spent thousands of hours building tools and automations to make migrating to Drupal 9 as simple as possible.

Drupal 10 timeline

Next, I gave an update on Drupal 10 timelines. Timing-wise, our preferred option would be to ship Drupal 10 in June 2022. That date hinges on how much work we can get done in the next few months.

Drupal core strategic initiatives

After these timelines, I walked through the six strategic initiatives for Drupal core. We've made really great progress on almost all of them. To see our progress in action, I invited key contributors to present video updates.

Project Browser

You may recall that I introduced the Project Browser initiative in my April 2021 State of Drupal presentation. The idea is to make it easy for site builders to find and install modules right from their Drupal site, much like an app store on a smartphone. The goal of this initiative is to help more evaluators and site builders fall in love with Drupal.

Today, just six months later, we have a working prototype! Take a look at the demo video:

Decoupled Menus

Drupal is an excellent headless CMS with support for REST, JSON:API and GraphQL.

As a next step in our evolution, we want to expand the number of web service endpoints Drupal offers, and build a large repository of web components and JavaScript framework integrations.

With that big goal in mind, we launched the Decoupled Menus initiative about one year ago. The goal was to create a small web component that could ship quickly and solve a common use case. We focused on one component so we could take all the learnings from that one component to improve our development infrastructure and policies to help us create many more web service end points and JavaScript components.

I talked about the various improvements we made to Drupal.org to support the development and management of more JavaScript components. I also showed that we've now shipped Drupal menu components for ReactSvelte and more. Take a look at the video below to see where we're at today:

Our focus on inviting more JavaScript developers to the Drupal community is a transformative step. Why? Headless momentum is growing fast, largely driven by the growth of JavaScript frameworks. Growing right along with it is the trend of composability, or the use of independent, API-first micro-services. Building more web service endpoints and JavaScript components extends Drupal's leadership in both headless development and composability. This will continue to make Drupal one of the most powerful and flexible tools for developers.

Easy Out of the Box

The goal of this initiative is to have Layout BuilderMedia, and Claro added to the Standard Profile. That means these features would be enabled by default for any new Drupal user.

Unfortunately, we have not made a lot of progress on this initiative. In my presentation, I talked about how I'd like to find a way for us to get it done by Drupal 10. My recommendation is that we reduce the scope of work that is required to get them into Standard Profile.

Automatic Updates

The Automatic Updates initiative's goal is to make it easier to update Drupal sites. Vulnerabilities in software, if left unchecked, can lead to security problems. Automatic updates are an important step toward helping Drupal users keep their sites secure.

The initiative made excellent progress. For the very first time, I was able to show a working development version:

Drupal 10 Readiness

The Drupal 10 Readiness initiative is focused on upgrading the third-party components that Drupal depends on. This initiative has been a lot of work, but we are largely on track.

The most exciting part? The upgrade to Drupal 10 will be easy thanks to careful management of deprecated code and continued investment in Rector. As it stands, upgrading modules from Drupal 9 to Drupal 10 can almost be entirely automated, which is a big 300% improvement compared to the Drupal 8 to Drupal 9 upgrade.

New front end theme

We are nearly at the finish line for our new front end theme, Olivero. In the past few months, a lot of effort has gone into ensuring that Olivero is fully accessible, consistent with our commitment to accessibility.

Olivero already received a glowing review from the National Federation of the Blind (USA):

Olivero is very well done and low-vision accessible. We are not finding any issues with contrast, focus, or scaling, the forms are very well done, and the content is easy to find and navigate.

Something to be really proud of!

The health of Drupal's contribution dynamics

Next, I took a look at Drupal's contribution data. These metrics show that contributions are down. At first I panicked when I saw this data, but then I realized that there are some good explanations for this trend. I also believe this trend could be temporary.

To learn more about why this was happening, I looked at the attrition rate of Drupal's contributors — the percentage of individuals and organizations who stopped contributing within the last year. I compared this data to industry averages for software and services companies.


While typical attrition for software and services companies is considered "good" at 15%, Drupal's attrition rate for its Top 1,000 contributors is only 7.7%. The attrition rate for Drupal agencies in the Top 250 organizations is only 1.2%.

I was very encouraged by this data. It shows that we have a very strong, loyal and resilient community of contributors. While many of our top contributors are contributing less (see the full recording for more data), almost none of them are leaving Drupal.

There are a number of reasons for the slowdown in contribution:

  • The COVID-19 pandemic has made contribution more difficult and/or less desirable.
  • We are in the slow period of the "Drupal Super Cycle" — after every major release, work shifts from active development to maintenance.
  • Anecdotally, many Drupal agencies have told me they have less time to contribute because they are growing so fast (see quotes in image below). That is great news for Drupal adoption.
  • Drupal is a stable and mature software project. Drupal has nearly all the features organizations need to deliver state-of-the-art digital experiences. Because of Drupal's maturity, there are simply fewer bug fixes and feature improvements to contribute.
  • Rector-automations have led to less contribution. It's good to work smarter, not harder.

I'll expand on this more in my upcoming Who sponsors Drupal development post.

The magic of contribution

I wrapped up my presentation by talking about some of the things that we are doing to make it easier to adopt Drupal. I highlighted DrupalPod and Simplytest as two examples of amazing community-driven innovations.

After people adopt Drupal, we need to make it easier for them to become contributors. To make contribution easier, Drupal has started adopting GitLab in favor of our home-grown development tools. Many developers outside the Drupal ecosystem are accustomed to using tools like GitLab. Allowing them to use tools with which they are already familiar is an important step to attracting new contributors. Check out this video to get the latest update on our GitLab effort:

Thank you

To wrap up I'd like to thank all of the people and organizations who have contributed to Drupal since the last DriesNote. It's pretty amazing to see the momentum on our core initiatives! As always, your contributions are inspiring to me!

Categories:

Matt Glaman: phpstan-drupal 0.12.15: Improved detection of deprecated service usage

Planet Drupal - Thu, 2021/10/14 - 2:24am

I have some exciting news to share for phpstan-drupal! With the 0.12.15 release, the ability to detect and report usages of deprecated services should have full coverage! Previously, phpstan-drupal only detected if you used a method on a deprecated service. And that happened to be if the service was fetched from an object implementing ContainerInterface. That meant calls to \Drupal::service were left uncovered – even though it calls self::getContainer->get() (I thought it would "just work," but it did not.)

Categories:

Jacob Rockowitz: Asking the “Five Whys” about Open Source Sustainability at the Sustainability BoF @ NED Camp 2021

Planet Drupal - Wed, 2021/10/13 - 10:19pm

Why sustainability matters to me

As the maintainer of the Webform module for Drupal 9, I make sizable contributions to Drupal in a variety of ways: committing code, writing documentation, recording screencasts, wrangling the issue queue, and more…. Over the last five years, I’ve come to realize that figuring out how to make my contributions sustainable is essential.

Sustainability has been a consistent theme in my blog. Last year, when it seemed that my organization was moving away from Drupal, I thought a lot about my commitment to Drupal and the sustainability of my work on the Webform module. This challenge encouraged me to improve the Webform module’s Open Collective. I worked to persuade individuals and organizations to invest (aka sponsor) in the ongoing maintenance of the Webform module. The number of backers and the annual budget of the Webform module’s Open Collective has grown substantially; for this, I am very grateful. Talking more about the Webform module and its Open Collective is a discussion for another day.

Engaging in the more extensive discussion around sustainability

Recently, John Picozzi (johnpicozzi) asked me to help facilitate the online Sustainability BoF at New England Drupal Camp (NEDCamp) on Friday, November 19th, 2021. I hesitated because I have mixed feelings about the topic. At the beginning of this blog post, I stated I...Read More

Categories:

Dries Buytaert: State of Drupal presentation (October 2021)

Planet Drupal - Wed, 2021/10/13 - 3:00pm

Last week, Drupalists around the world gathered virtually for DrupalCon Europe 2021.

In good tradition, I delivered my State of Drupal keynote. You can watch the video of my keynote, download my slides (156 MB), or read the brief summary below.

I talked about end-of-life schedules for various Drupal versions, delivered some exciting updates on Drupal 10 progress, and covered the health of the Drupal community in terms of contributor dynamics. Last but not least, I talked about how we are attracting new users and contributors by making it much easier to contribute to Drupal.

Drupal 7 and Drupal 8 end-of-life

If you are using Drupal 7 or Drupal 8, time is of the essence to upgrade to Drupal 9. Drupal 7 end-of-life is scheduled for November 2022.

Drupal 8's end-of-life is more pressing, as it is scheduled for November 2nd, 2021 (i.e. in less than a month). If you are wondering why Drupal 8 is end-of-life before Drupal 7, that is because we changed how we develop Drupal in 2016. These changes have been really great for Drupal. They've made it much easier to upgrade to the latest version without friction.

As a community, we've spent thousands of hours building tools and automations to make migrating to Drupal 9 as simple as possible.

Drupal 10 timeline

Next, I gave an update on Drupal 10 timelines. Timing-wise, our preferred option would be to ship Drupal 10 in June 2022. That date hinges on how much work we can get done in the next few months.

Drupal core strategic initiatives

After these timelines, I walked through the six strategic initiatives for Drupal core. We've made really great progress on almost all of them. To see our progress in action, I invited key contributors to present video updates.

Project Browser

You may recall that I introduced the Project Browser initiative in my April 2021 State of Drupal presentation. The idea is to make it easy for site builders to find and install modules right from their Drupal site, much like an app store on a smartphone. The goal of this initiative is to help more evaluators and site builders fall in love with Drupal.

Today, just six months later, we have a working prototype! Take a look at the demo video:

Decoupled Menus

Drupal is an excellent headless CMS with support for REST, JSON:API and GraphQL.

As a next step in our evolution, we want to expand the number of web service endpoints Drupal offers, and build a large repository of web components and JavaScript framework integrations.

With that big goal in mind, we launched the Decoupled Menus initiative about one year ago. The goal was to create a small web component that could ship quickly and solve a common use case. We focused on one component so we could take all the learnings from that one component to improve our development infrastructure and policies to help us create many more web service end points and JavaScript components.

I talked about the various improvements we made to Drupal.org to support the development and management of more JavaScript components. I also showed that we've now shipped Drupal menu components for React, Svelte and more. Take a look at the video below to see where we're at today:

Our focus on inviting more JavaScript developers to the Drupal community is a transformative step. Why? Headless momentum is growing fast, largely driven by the growth of JavaScript frameworks. Growing right along with it is the trend of composability, or the use of independent, API-first micro-services. Building more web service endpoints and JavaScript components extends Drupal's leadership in both headless development and composability. This will continue to make Drupal one of the most powerful and flexible tools for developers.

Easy Out of the Box

The goal of this initiative is to have Layout Builder, Media, and Claro added to the Standard Profile. That means these features would be enabled by default for any new Drupal user.

Unfortunately, we have not made a lot of progress on this initiative. In my presentation, I talked about how I'd like to find a way for us to get it done by Drupal 10. My recommendation is that we reduce the scope of work that is required to get them into Standard Profile.

Automatic Updates

The Automatic Updates initiative's goal is to make it easier to update Drupal sites. Vulnerabilities in software, if left unchecked, can lead to security problems. Automatic updates are an important step toward helping Drupal users keep their sites secure.

The initiative made excellent progress. For the very first time, I was able to show a working development version:

Drupal 10 Readiness

The Drupal 10 Readiness initiative is focused on upgrading the third-party components that Drupal depends on. This initiative has been a lot of work, but we are largely on track.

The most exciting part? The upgrade to Drupal 10 will be easy thanks to careful management of deprecated code and continued investment in Rector. As it stands, upgrading modules from Drupal 9 to Drupal 10 can almost be entirely automated, which is a big 300% improvement compared to the Drupal 8 to Drupal 9 upgrade.

New front end theme

We are nearly at the finish line for our new front end theme, Olivero. In the past few months, a lot of effort has gone into ensuring that Olivero is fully accessible, consistent with our commitment to accessibility.

Olivero already received a glowing review from the National Federation of the Blind (USA):

Olivero is very well done and low-vision accessible. We are not finding any issues with contrast, focus, or scaling, the forms are very well done, and the content is easy to find and navigate.

Something to be really proud of!

The health of Drupal's contribution dynamics

Next, I took a look at Drupal's contribution data. These metrics show that contributions are down. At first I panicked when I saw this data, but then I realized that there are some good explanations for this trend. I also believe this trend could be temporary.

To learn more about why this was happening, I looked at the attrition rate of Drupal's contributors — the percentage of individuals and organizations who stopped contributing within the last year. I compared this data to industry averages for software and services companies.

While typical attrition for software and services companies is considered "good" at 15%, Drupal's attrition rate for its Top 1,000 contributors is only 7.7%. The attrition rate for Drupal agencies in the Top 250 organizations is only 1.2%.

I was very encouraged by this data. It shows that we have a very strong, loyal and resilient community of contributors. While many of our top contributors are contributing less (see the full recording for more data), almost none of them are leaving Drupal.

There are a number of reasons for the slowdown in contribution:

  • The COVID-19 pandemic has made contribution more difficult and/or less desirable.
  • We are in the slow period of the "Drupal Super Cycle" — after every major release, work shifts from active development to maintenance.
  • Anecdotally, many Drupal agencies have told me they have less time to contribute because they are growing so fast (see quotes in image below). That is great news for Drupal adoption.
  • Drupal is a stable and mature software project. Drupal has nearly all the features organizations need to deliver state-of-the-art digital experiences. Because of Drupal's maturity, there are simply fewer bug fixes and feature improvements to contribute.
  • Rector-automations have led to less contribution. It's good to work smarter, not harder.

I'll expand on this more in my upcoming Who sponsors Drupal development post.

The magic of contribution

I wrapped up my presentation by talking about some of the things that we are doing to make it easier to adopt Drupal. I highlighted DrupalPod and Simplytest as two examples of amazing community-driven innovations.

After people adopt Drupal, we need to make it easier for them to become contributors. To make contribution easier, Drupal has started adopting GitLab in favor of our home-grown development tools. Many developers outside the Drupal ecosystem are accustomed to using tools like GitLab. Allowing them to use tools with which they are already familiar is an important step to attracting new contributors. Check out this video to get the latest update on our GitLab effort:

Thank you

To wrap up I'd like to thank all of the people and organizations who have contributed to Drupal since the last DriesNote. It's pretty amazing to see the momentum on our core initiatives! As always, your contributions are inspiring to me!

Categories:

robertroose.com: 27 more Drupal modules every Drupal professional should know about

Planet Drupal - Wed, 2021/10/13 - 11:11am

Extending Drupal with modules is a great way to create a complex website. Here are 27 of my favourite Drupal modules.

Categories:

Promet Source: 20 Reasons to Start Your Drupal 7 to 9 Migration NOW!

Planet Drupal - Tue, 2021/10/12 - 6:05pm
Does 13 months feel like a comfortable cushion between now and the Nov. 28, 2022 Drupal 7 end of life? It’s not. The time to get serious about your Drupal 9 migration is now. There are countless reasons why.  Here are our top 20. 
Categories:

Tag1 Consulting: Get to know the Drupal Security Team with Michael Hess: Part 1

Planet Drupal - Tue, 2021/10/12 - 3:59pm

Drupal’s Security Team has been one of the most critical and long-lasting sub-groupings throughout the entire existence of Drupal as an open source project. This team of volunteers evaluates, processes, and reviews security reports and fixes, helping to ensure that Drupal as a project maintains its status as highly secure software. In this Tag1 Team Talk, Tag1 Managing Director Michael Meyers is joined by Drupal Security Team member Michael Hess. In this installment, they will talk about what the Security Team does, who does it, and how. They will also differentiate between the Security Team and the Working Group, and how their responsibilities overlap but are not the same. If you’ve ever reported a security issue, or wondered how security reports are handled, this talk explains it all. And if you’ve ever considered joining the Drupal Security Team, get the inside scoop on how that happens, here. --- For a transcript of this video, see Transcript - Understanding the Drupal Security Team with Michael Hess, part 1. --- Photo by SIMON LEE on Unsplash

Read more lynette@tag1co… Tue, 10/12/2021 - 06:59
Categories:

ADCI Solutions: About Drupal 8 End of Life in a simple non-technical language

Planet Drupal - Tue, 2021/10/12 - 2:39pm

November 2, 2021, the support of Drupal 8 will come to the end. This means that the core of this CMS version will no longer receive any security updates or new functionality.

Read our post to learn why postponing migration to Drupal 9 threatens your business and reputation.

As a small bonus, we discuss \whether it is reasonable to roll back to Drupal 7.

Categories:

Event Organizers: Event Organizer's Working Group - Seeking Board Members and Advisory Committee Members - Submit Your Nomination Today

Planet Drupal - Tue, 2021/10/12 - 1:52pm
Submit Your Nomination Today

The Drupal Event Organizers Working Group is seeking nominations for Board Members and Advisory Committee Members. Anyone involved in organizing an existing or future community event is welcome to nominate. 

EOWG Board Members. We are currently looking for nominations to fill two (4) board seats. Interested organizers are encouraged to nominate themselves. 

The following members terms are expiring this year:

  • Kaleem Clarkson (first term)
  • Matthew Saunders (first term)
  • Suzanne Dergacheva (first term)
  • Andrii Podanenko (first term)
     

EOWG Advisory Committee. We are looking for advisory committee members. The advisory committee is designed to allow individuals to participate who may not have a consistent availability to meet or who are interested in joining the board in the future. 

Submit Your Nomination: To submit your nomination please visit the Issue below and submit your name, event name, country, territory/state, and a short reason why you would like to participate.  

Issue: https://www.drupal.org/project/event_organizers/issues/3241177 

Nomination Deadline:  Thursday, October 28, 2021 11:59 pm UTC

Categories:

Specbee: A Deep Dive into the Webform Module for Drupal 8/9

Planet Drupal - Tue, 2021/10/12 - 1:47pm
A Deep Dive into the Webform Module for Drupal 8/9 Ankitha 12 Oct, 2021

The Webform module is the most powerful and flexible form builder and submission manager for Drupal. It gives  site builders the power to easily create complex forms instantly. It comes with a certain level of default settings, also letting you customize it as per your requirements.

Check out this amazing blog - Drupal 8 Webform Module - A Brief Tutorial to help you get started with the Webform module in your Drupal 8/9 site. This will help you understand the basics easily. 

The Webform module ships with a lot of interesting features and I’d like to mention a few here.

Webform Features 1. Altering form & elements

Any form, element and its related settings can be altered by using their respective hooks. Below are few hooks that are available to use and you can find more in the webform.api.php file:

  • Form hooks

        ◦ hook_webform_submission_form_alter()    
        ◦ Perform alterations before a webform submission form is rendered.

  • Element hooks

        ◦ hook_webform_element_alter()
        ◦ Alter webform elements.

  • Option hooks

        ◦ hook_webform_options_alter()
        ◦ Alter webform options.

  • Handler hooks

        ◦ hook_webform_handler_invoke_alter()
        ◦ Act on a webform handler when a method is invoked.

  • more hooks…

        ◦ hook_webform_access_rules_alter() etc..
        ◦ Alter list of access rules that should be managed on per webform level.

2. YAML Source

The Webform module started as a YAML Form module, which allowed people to build forms by writing YAML markup. At some point, the YAML Form module started to have UI and became the Webform module for Drupal 8.

  • YAML provides a simple & easy to learn markup language for building & bulk editing a webform's elements.
  • The (View) Source page allows developers to edit a webform's render array using YAML markup. Developers can use the (View) Source page to hand-code webforms to alter a webform's labels quickly, cut-n-paste multiple elements, reorder elements, as well as add custom properties and markup to elements.
  • Here’s an example of a Contact form and its corresponding YAML source code:

 

A Contact form with drag-n-drop UI

 

The Contact form’s YAML source code

3. Conditional fields

Webform lets you add conditional logic to your elements within your form. Let us consider a small example, wherein we need to conditionally handle the visibility of elements based on the value of another element within the form.

Here’s an example form with two-step fields, STEP 1 (Radios element) with options ‘Email’ and ‘Mobile Number’. STEP 2 (Fieldset) with two elements, 'Email' and 'Mobile Number'.

Form Build page

Form View page

In the above example, I would like to show the ‘Email’ field if the ‘Email’ option is chosen in Step 1, else show the ‘Mobile Number’ field if the ‘Mobile Number’ option is chosen in Step 1.

To achieve that, edit your ‘Email’ field, click on the ‘Conditions’ tab, choose the ‘State’ as ‘Visible’ and set the ‘Trigger/Value’ as ‘STEP 1 [Radios] value is email’. Similarly, follow the same steps to add conditional logic to your ‘Mobile Number’ field and set the ‘Trigger/Value’ as ‘STEP 1 [Radios] value is mobile_number’. Here’s the final look of the Webform:

Setting up conditional logic

Form when ‘Email’ is chosen on STEP 1

Form when ‘Mobile Number’ is chosen on STEP 1

4. Custom options properties

Webform lets you add custom option properties to your from elements.

Imagine a scenario where you would want to conditionally handle the options of a radio element based on the value of a different element within the form. How would you do that?

Well, I did not find any way to handle it through the Conditional logic settings from the UI. But there is a provision to set ‘custom options properties’ to your element, wherein you write the required conditional logic targeting your options within the element using the YAML code.

Here is an example, where we can see two radio elements and based on the option I select in the first element, the visibility of the options within the second element should change.

Form Build page

Form View page before adding any custom options properties:

  • If ‘Type A’ is chosen, then ‘Option 1’ and ‘Option 2’ should be visible from the second element. Similarly, if ‘Type B’ is chosen, then ‘Option 3’ and ‘Option 4’ should be visible. To achieve this edit the second element, go to the ‘Advanced’ tab, scroll down to the ‘Options (custom) properties’ sections and write the necessary logic in YAML.

Setting up the options properties

Form when ‘Type A’ is chosen

Form when ‘Type B’ is chosen

5. Webform submission email handlers
  • Email handlers

          Email handlers sends a webform submission via email. To add email handlers to your webform, go to ‘Settings’ and then ‘Emails/Handlers’ tab. Next, click on the ‘Add Email / Add handler’ button.

Add Email Handler

  • As shown in the below image, on the ‘General’ tab, add the ‘Title’ and set ‘Send to’  and ‘Send from’ details. Add the message ‘Subject’ and ‘Body ‘ as required and save the configuration form. 

 

And that’s about it. Your handler gets fired whenever the form is submitted.

  • You can also set conditional email handlers to your webform i.e., trigger different email handlers based on the value of certain elements within the form.
  • For example, let us consider a ‘Select’ element with values ‘Type 1’ and ‘Type 2’. If the user submits ‘Type 1’, trigger the ‘Email - Type 1’ handler that has set ‘To’ address to ‘user1@gmail.com’. If the user submits ‘Type 2’, trigger the ‘Email - Type 2’ handler that has set ‘To’ address to ‘user2@gmail.com’.
  • To add conditional logic to your email handler, create one handler and name it ‘Email - Type 1’. Set ‘To’ address to ‘user1@mail.com’, switch to the ‘Conditions’ Tab, choose the ‘State’ as ‘Visible’ and set the ‘Trigger/Value’ as ‘Select Type [Select] value is type_1’. 
  • Similarly, create the second handler and name it ‘Email - Type 2’. Set ‘To’ address to ‘user2@gmail.com’, switch to the ‘Conditions’ Tab, choose the ‘State’ as ‘Visible’ and set the ‘Trigger/Value’ as ‘Select Type [Select] value is type_2’.

 

  • Scheduled email handlers
    • It extends the Webform module's email handler to allow emails to be scheduled. To use this feature, enable the ‘Webform Scheduled Email Handler’ sub-module. 
    • To schedule sending an email of the form submissions, click on the ‘Add handler’ button. Select ‘Scheduled Email’ handler here.

 

There is only one extra config setting in the ‘Scheduled Email’ handler compared to the normal ‘Email handler’. And that is to add Schedule email date under the General settings tab.

 

Scheduled email handler

Set the date to trigger your handler and when the next cron is run, your email will be sent!

Finding Help

There are different ways through which you can seek help with the webform module. Here is a list of a few sources:

There’s just so much this versatile Webform module can do that we cannot possibly cover it all in one article. If you love Webforms as much as we do, we’d encourage you to get involved and contribute in any way possible. Looking for professional Drupal services and expertise to build your next Drupal website with beneficial modules such as this? We would love to hear from you. 

Drupal 8 Drupal 9 Drupal 9 Module Drupal Development Drupal Module Drupal Planet Subscribe to our Newsletter Now Subscribe

Leave us a Comment

  Recent Blogs Image A Deep Dive into the Webform Module for Drupal 8/9 Image How to Migrate Content from XML files to Drupal 8 (or 9) Image The Tour Module - Create your own Tour for a Custom Theme in Drupal 9 Need help in creating intuitive forms in Drupal? TALK TO US Featured Success Stories

A Drupal powered multi-site, multi-lingual platform to enable a unified user experience at SEMI.

link

Discover how our technology enabled UX Magazine to cater to their massive audience and launch outreach programs.

link

Discover how a Drupal powered internal portal encouraged the sellers at Flipkart to obtain the latest insights with respect to a particular domain.

link

Categories:

Talking Drupal: Talking Drupal #315 - Wordpress vs Drupal Communities

Planet Drupal - Mon, 2021/10/11 - 3:45pm

Today we are talking about What The Drupal & WordPress communities could learn from one another with Tara King.

TalkingDrupal.com/315

Topics
  • What makes the WP community different?
  • Automattic influence on the community.
  • What could the Drupal community learn from the WP community?
  • Is there a lot of crossover in people in each community?
  • Do you think there is anything the WP community could learn from Drupal?
  • What are some struggles shared across the two communities?
  • How does platform sustainability differ between the two communities?
  • Why do you think so many more people gravitate towards WP?
Module of the Week Resources Hosts

Nic Laflin - www.nLighteneddevelopment.com @nicxvan John Picozzi - www.epam.com @johnpicozzi Tara King - @sparklingrobots

Categories:

Morpht: Drupal personalization roundup (2014 - 2021)

Planet Drupal - Mon, 2021/10/11 - 4:39am
A roundup of what has happened in Drupal personalization from 2014 to 2021 covering presentations, module releases and trends.
Categories: