drupal 9.3.21

This is a patch (bugfix) release of Drupal 9 and is ready for use on production sites. Learn more about Drupal 9.

The CKEditor 5 experimental module is being developed for Drupal 10 WYSIWYG editing and depends on the third-party CKEditor 5 JavaScript library. CKEditor has issued a security advisory for CKEditor 5:

• CVE-2022-31175: Cross-site scripting (XSS) caused by the editor instance destroying process

Drupal core is only known to be vulnerable when the full HTML format is used with CKEditor within QuickEdit, and the exploit only affects the user who inserts a JavaScript payload. Since full HTML already allows writing JavaScript that can contain cross-site scripting (XSS) payloads, we are treating this update as a public security hardening.

CKEditor 4 is not affected, so sites where only the stable CKEditor module is used (with the CKEditor 5 experimental module uninstalled) will not be impacted and do not urgently need to update to this release.

Drupal 9.3.x will receive security coverage until December 2022.

If you are upgrading from Drupal 8, read upgrading a Drupal 8 site to Drupal 9, 9.0.0 release notes, and the 9.3.0 release notes before upgrading to this release.

Important update information

• CKEditor 5 has been updated from 34.1.0 to 35.0.1 for a security update. This update also introduces backwards compatibility breaks from CKEditor 35.0.0. Therefore, maintainers of CKEditor 5 integrations should review the CKEditor 35.0.0 release notes.

Known issues

Search the issue queue for known issues.

All changes since 9.3.20

• Issue #3301495 by lauriii, nod_: Update CKEditor 5 to 35.0.1
• Issue #3300773 by bradjones1, xjm, catch, andypost, Spokje: Fix failed test on `symfony/http-foundation` 4.4.44/6.1.3 and later