xjm: "Anemone": The brief tale of a Drupal core security advisory

"Anemone": The brief tale of a Drupal core security advisory xjm Fri, 06/20/2025 - 15:03

A long while back, security researcher Sam Mortenson reported a cross-site scripting vulnerability in Drupal core's Link module. Essentially, the options property on link fields was not being properly sanitized. This meant cross-site scripting was possible under some circumstances -- and, as always for cross-site scripting, we were concerned that the XSS could be combined with other attacks and escalated to more serious exploits.

Drupal Association blog: DrupalCon North America 2026: Evolving for the Community

DrupalCon has always been a conference by the community, for the community—and as we look ahead to DrupalCon North America 2026 in Chicago, we’re making thoughtful changes to ensure it continues to reflect those values.

After a successful DrupalCon Atlanta, we’ve taken time to reflect, gather feedback, and make updates that prioritize access, sustainability, and community connection.  Each of the changes outlined below is rooted in one or more of these values—whether it's improving affordability, building lasting relationships, or creating a more efficient and inclusive event experience. With guidance from the DrupalCon North America Steering Committee, we’re excited to share a refreshed ticket structure, updated volunteer policies, a reimagined Expo Hall, and a renewed focus on summits, trainings, and collaboration.

What’s New for 2026

Ticket Pricing: More Affordable, More Accessible

We’ve simplified and lowered the cost of general admission tickets to make DrupalCon more accessible—without sacrificing the quality of experience our community expects. These changes were driven by feedback from past DrupalCon attendees, the North American Steering Committee, and the community at large, all of whom expressed a strong desire for more affordable access to the event.

Ticket Tier

Atlanta 2025

Chicago 2026

Savings

Early Bird

$890

$575

$315

Regular

$990

$700

$290

Late/Onsite

$1,190

$850

$340

Early Bird registration opens September 15, 2025 and is open for 16 weeks!
Secure your ticket early to lock in the best rate.

Camp & Local Association Ticket Perks

For every 5 tickets purchased from a Drupal camp or local association, that community will receive 1 complimentary ticket to share with a deserving community member, with a max of 10 complimentary tickets per local camp or association. It's our way of reinvesting in local leadership and participation.

Updated Volunteer Ticket Policy

This change reflects our focus on access and sustainability. In our DrupalCon Atlanta recap blog, we highlighted how streamlined operations improved the event experience for attendees and volunteers alike. Building on that momentum, we recognized the need for clearer guidelines to ensure volunteer opportunities are distributed fairly and effectively.

We’ve updated the volunteer ticket structure to make it more equitable and scalable:

  • Volunteer under 20 hours → 25% discount
  • Volunteer 20+ hours → Complimentary ticket

These tickets are non-transferable and may not be combined with other discounts.

Previously, volunteer ticket codes were sometimes misused or distributed without proper oversight. These updated guidelines help preserve full complimentary tickets for those who contribute a significant amount of time and effort, while also creating new opportunities for others to attend at a reduced rate.

Additionally, we’ve streamlined the on-site registration process with self-check-in, reducing the need for a large number of on-site volunteers and allowing us to focus support where it’s most impactful.

Learn more and sign up to volunteer.

Summits & Trainings: Real Talk, Real Skills

Summits are one of DrupalCon’s most valuable opportunities for industry-specific collaboration and knowledge sharing. Designed to connect attendees working in the same verticals, these events offer focused access to speakers with real-world experience, engaging roundtable discussions with peers in similar roles, and meaningful conversations about shared challenges. Attendees walk away with practical takeaways and lasting connections, while participating sponsors have a chance to introduce themselves to leaders in the space in an organic, relevant way.

Taking place Monday, 23 March 2026.

Industry & Community Summits

Join peers in:

  • Healthcare
  • Higher Education
  • Government
  • Nonprofit
  • Community

Each summit features two half-day sessions that do not conflict with the main conference program, creating space for meaningful discussion and idea sharing.

Summit Type

Atlanta 2025

Chicago 2026

Industry Summit

$250

$300

Community Summit

Free

Free for RippleMaker members, $50 for non-member
(Click HERE to become a Ripple Maker)

Lunch is not included with the Community Summit, but a lunch ticket add-on will be available for purchase during registration.

Trainings

DrupalCon Trainings remain at $500 and offer deep-dive, expert-led learning opportunities on a wide range of Drupal skills.

More Community Updates

You’ll notice more networking spaces, and informal meeting zones—especially in the Expo Hall and hallways. We’re doubling down on meaningful, unstructured connections.

These changes are only possible through thoughtful cost management and the continued support of our sponsors. Their partnership helps us keep ticket prices accessible while delivering the high-quality experience the community expects. We’re grateful to those who invest in DrupalCon and help us create an event that welcomes and supports everyone.

Traveling from Outside the U.S.?

The Drupal Association is happy to issue official invitation letters for those requiring a visa.

Request your visa letter here.

Letters are generated automatically—just complete the form and check your email (including spam folders).

Key Dates

Milestone

Date

Program at a Glance Released

6 June 2025

Call for Speakers Opens

21 July 2025

Early Bird Registration Opens

15 September 2025

Call for Speakers Closes

26 September 2025

Grants & Scholarships Applications Open

1 October 2025

Grants & Scholarships Applications Close

31 October 2025

Session Notifications to Speakers

12 November 2025

Grant & Scholarship Recipients Announced

12 November 2025

Regular Registration Opens

5 January 2026

Conference Schedule Available

13 January 2026

Late Registration Opens

23 February 2026

DrupalCon Chicago

23-26 March 2026

Stay at the Heart of the Action

Hilton Chicago is DrupalCon’s official headquarters hotel—and it's where the magic happens.

From morning coffee chats to late-night strategy sessions in the lobby, this is where the community connects. Staying on-site helps you maximize your time, make spontaneous connections, and be part of the full experience.

Book your room at the Hilton Chicago.

Sponsorship Updates

We’re reimagining our sponsorship offerings to better connect you with the Drupal community—bringing fresh opportunities and updated packages designed for greater visibility, value, and impact.

Want to be the first to know when they go live? Email partnerships@association.drupal.org and we’ll make sure you're on the list.

Let’s Build What’s Next—Together

DrupalCon is more than just a conference—it’s the beating heart of our community. These changes help us keep that heart strong, inclusive, and accessible.

We can’t wait to see you in Chicago, 23-26 March 2026

The Drop Times: “What You Permit, You Promote” - Fei Lauren on Drupal Inclusion

In her interview with Alka Elizabeth of The DropTimes, Fei Lauren, Delivery Manager & Front End Developer at Renesas Electronics, Drupal Diversity & Inclusion leader and Drupal Association board member, reflects on everything from her Geocities-era HTML experiments to nearly a decade of global community work. She shares how she overcame impostor syndrome in a competitive board election, why authenticity matters more than polish, her mantra “what you permit you promote” and her Pride Month efforts with the Drupal Rainbow community. Plus, she outlines her vision for distributed leadership in DDI, plans to bring DrupalCon to Latin America and Africa and even her dream of studying Interactive Art at SFU.

The Drop Times: Why Use Automated Testing Kit? - Part 1

Part 1 of a three-part series for The DropTimes by André Angelantoni. Automated Testing Kit delivers a ready-to-use suite of over two dozen Drupal-specific smoke tests, helper functions, pre-flight server checks and clear documentation. With identical Cypress and Playwright test sets, Drupal teams can catch bugs early, reduce downtime costs and accelerate development by integrating automated end-to-end testing out of the box.

Golems GABB: Drupal CMS auto-updates: How to prepare? How to enable?

Drupal CMS auto-updates: How to prepare? How to enable? Editor Tue, 06/24/2025 - 14:12

Working with Drupal requires certain experience, knowledge, and skills. Even if you successfully create a project on Drupal, in the near future, you will need to install updates and upgrade the site. To avoid doing this manually, use a convenient new solution.
Drupal Auto-Updates in 2025 is a new option for auto-website updates. Thus, you can forget about constant control of each patch or fix. The system will independently and automatically work through everything if necessary.
Today you will learn all the necessary details about Drupal auto-updates and how this will affect web development and website owners in the future.

Drupal AI Initiative: Introducing a free Drupal AI Webinar Series in Partnership with the European Commission

Drupal is entering a new era, transforming into an AI-first CMS. Powered by open, ethical, and human-centred AI.

We’re proud to launch the free webinar training series offered in partnership with the European Commission. These free, public webinars are designed to equip the global Drupal community with practical skills, architectural understanding, and the ethical frameworks needed to work with AI inside Drupal. Whether you’re a developer, site builder, content strategist, or part of a digital agency team, there’s something here for you.

The series brings together contributors from across the open source AI ecosystem, featuring maintainers of the AI module, members of the Drupal AI Strategic Initiative, and the wider Drupal CMS innovation team.

We really believe that the process of contributing—of trying things out, experimenting on difficult problems—helps bring AI knowledge into both individuals and their organisations.
 Jamie Abrahams

Watch the first session recording today

“Bringing Drupal AI into your  DNA - How to Learn, Use and Contribute to the Drupal AI Ecosystem”, aired live on 10 June and is available to watch on YouTube. Hosted by Jamie Abrahams (FreelyGive) with a guest appearance from Drupal founder Dries Buytaert (Acquia), this session outlined the architecture, vision, and community momentum behind Drupal’s approach to AI.

It introduced viewers to:

  • The AI module and its plugin-based approach to LLM providers
  • Use cases like content automation, accessibility improvements, and semantic search
  • The ethical principles guiding Drupal’s AI efforts: Trust, Transparency, and Choice
  • Drupal AI Agents and Swarms: modular, no-code AI orchestration already in use today
  • A strategic roadmap that includes tight integration with upcoming Experience Builder features and MCP (Model Context Protocol)

We imagine a future where site builders define the goal—like 300 event signups—and AI agents get to work alongside humans to make it happen.
Dries Buytaert

Upcoming Sessions

In the coming months, the webinar series continues with targeted training sessions that build upon each other. All sessions are free, recorded, and open to the public.

  • 1 July: Installing the AI Module & Basic Features
  • 2 September: AI Search
  • 23 September: AI Agents (No-Code Creation)
  • 7 October: Advanced: Build AI Agents with Code

Each webinar will include demonstrations, practical walk-throughs, and guidance on how to get started, contribute back, and explore AI ethically in your Drupal projects.

AI is not a substitute for human intelligence—it’s a tool to amplify human creativity and ingenuity.
Jamie Abrahams

Do You Want to Get Involved?

You can sign up for upcoming sessions and explore the series details. This is your opportunity to learn from the team building the future of Drupal and to participate in shaping it. Are you interested in content automation, smarter search, accessibility tooling, or advanced AI orchestration? Then this series is for you.

We can’t skip the human-in-the-loop. It’s essential that humans stay in control, and that AI in Drupal remains transparent, auditable, and ethical.
Dries Buytaert

If you believe in the power of open source, ethical tech, and community-led innovation, this is where to begin.
 

ComputerMinds.co.uk: The new Autocreate Access module

Image removed.

When a client has a need or idea that other people might benefit from, it's a great opportunity to contribute a module back to the community. I recently created the new Autocreate Access module to solve a problem on a project where Drupal's autocomplete tagging widget for taxonomy terms didn't work as our client expected. Typically, Drupal sites utilise this field widget to allow users to create new categories for their content on the fly. However, our client wanted to prevent ordinary site visitors from being able to create new tags, but still be able to select from existing ones - whilst allowing privileged editors to create tags from the same widget. 

Without this module, Drupal doesn't make that distinction between different kinds of users: either everyone who can use the widget can create new terms, or none of them can!

Image removed. The autocomplete (tags style) widget usually looks like this. A 'News' category has already been selected, then 'Re' has been typed so existing categories containing those letters are shown. But the user might continue to type 'Restrictions', which would be a new tag to the CMS.

Drupal already has excellent access controls in place, using roles and permissions for granular control over what different kinds of visitors can see and do. It even includes specific CRUD permissions for each vocabulary of terms that this widget allows picking from. So all I needed to do was wire up the autocomplete tagging widget to respect the existing permission for creating terms in the vocabulary for these tags. Install the module, and then configure it in any fields you want to use it for: simply tick the 'Respect access' box on Drupal's configuration form for editing a field:

Image removed.

As the description beneath the checkbox in that screenshot implies - this applies to any entity, not just taxonomy terms! The 'Tags style' autocomplete widgets are most commonly used with taxonomy terms, but they can be used on any entity reference field. Given that access controls around other entity types often need to be tighter, I can see this being an important tool to allow the easy editing that this widget provides, without circumventing restrictions!

Under the hood, the autocomplete widget uses Drupal's entity_autocomplete form element, which uses an #autocreate property to control how unmatched tags should be handled. (Hence 'autocreate' in my module's name!) The field widget simply populates this with the vocabulary/bundle selected in the field configuration. The Autocreate Access module just adds a check to enforce that the #autocreate property is only set when the currently logged-in user actually has access to create those terms/entities.

You might think that perhaps Drupal should do this by default - and it's an open question that's been asked before which is probably worth addressing in core. But I can appreciate that many websites still want to allow easy free-tagging without having to think about permissions (or giving direct access to full standalone forms for creating terms). Changing that behaviour could break backwards-compatibility, which might not be worth the hassle of delivering a change within core. At least this new module now makes it easy to choose whether to respect vocab permissions when creating tags on the fly. 

I've just tagged (get it?!) the first stable release of the new Autocreate Access module - please let me know how you get on with it or if you have any ideas for it!