Bump wagtail from 6.4.2 to 7.0.6

[dependabot]

Bumps wagtail from 6.4.2 to 7.0.6.

Release notes

Sourced from wagtail's releases.

7.0.6

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)

7.0.5

• Remove upper bound on Pillow dependency (Kunal Hemnani)

7.0.4

• Fix: Prevent error on custom generic create and edit views without a header icon (Sage Abdullah)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

7.0.3

• Fix: Prevent crash when previewing a form page with an empty field type (Sage Abdullah)

7.0.2

• Fix: Prevent error when restoring scroll position for cross-domain preview iframe (Sage Abdullah)
• Fix: Remove ngram parser on MySQL that prevented autocomplete search from returning results (Vince Salvino)
• Fix: Ensure the editing of translation alias pages correctly shows links to the source page if the alias was created from a draft (Dan Braghis)

7.0.1

• Fix: Fix type hints for register_filter_adapter_class parameters (Sébastien Corbin)
• Fix: Use correct URL when redirecting back to the listing after filtering and deleting form submissions (Sage Abdullah)
• Fix: Fix broken migration when ListBlock is defined with a child_block kwarg (Matt Westcott)
• Fix: Fix saving of empty values in EmbedBlock (Matt Westcott)
• Fix: Sanitize request data when logging method not allowed (Jake Howard)
• Docs: Use tuple instead of set in UniqueConstraint examples for a custom rendition model to avoid spurious migrations (Alec Baron)
• Docs: Document how to turn off StreamField block previews (Shlomo Markowitz)
• Maintenance: Use utf8mb4 charset and collation for MySQL test database (Sage Abdullah)

7.0 LTS

• Add formal support for Django 5.2 (Matt Westcott)
• Allow validation of required fields to be deferred on saving drafts (Matt Westcott, Sage Abdullah)
• Add WAGTAIL_ prefix to Wagtail-specific tag settings (Aayushman Singh)
• Implement normalize on TypedTableBlock to assist with setting default and preview_value (Sage Abdullah)
• Apply normalization when modifying a StreamBlock's value to assist with programmatic changes to StreamField (Matt Westcott)
• Allow a custom image rendition model to define its unique constraint with models.UniqueConstraint instead of unique_together (Oliver Parker, Cynthia Kiser, Sage Abdullah)
• Default to the standard tokenizer on Elasticsearch, to correctly handle numbers as tokens (Matt Westcott)
• Add color-scheme meta tag to Wagtail admin (Ashish Nagmoti)
• Add the ability to set the default privacy restriction for new pages using get_default_privacy_setting (Shlomo Markowitz)
• Improve performance of batch purging page urls in the frontend cache, avoiding n+1 query issues (Andy Babic)
• Add better support and documentation for overriding or extending icons used in the in the userbar (Sébastien Corbin)
• List the comments action, if comments are enabled, within the admin keyboard shortcuts dialog (Dhruvi Patel)
• Add better support and documentation for overriding the default field widgets used within form pages (Baptiste Mispelon)
• Allow workflow tasks to specify a template for the action modal via get_template_for_action (Sage Abdullah)
• Change 'Publish' button label to 'Schedule to publish' if go-live schedule is set (Sage Abdullah)
• Exclude snippets that have their own menu items from the "Snippets" menu (Andy Chosak, Matt Westcott)
• Introduce new designs for listings and chooser pagination (except page chooser) (Jordan Teichmann, Sage Abdullah)
• Add default "Locale" column to listings and choosers of translatable models (Dan Braghis, Sage Abdullah)
• Apply current content's locale in choosers by default and add the ability to clear the locale filter (Dan Braghis)
• Hide add locale button when no more languages are available (Dan Braghis)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.0.6 (03.03.2026)

 * Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
 * Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
7.0.5 (12.02.2026)

• Remove upper bound on Pillow dependency (Kunal Hemnani)

7.0.4 (03.02.2026)

 * Fix: Prevent error on custom generic create and edit views without a header icon (Sage Abdullah)
 * Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)
7.0.3 (28.08.2025)

• Fix: Prevent crash when previewing a form page with an empty field type (Sage Abdullah)

7.0.2 (24.07.2025)

 * Fix: Prevent error when restoring scroll position for cross-domain preview iframe (Sage Abdullah)
 * Fix: Remove ngram parser on MySQL that prevented autocomplete search from returning results (Vince Salvino)
 * Fix: Ensure the editing of translation alias pages correctly shows links to the source page if the alias was created from a draft (Dan Braghis)
7.0.1 (12.06.2025)

• Fix: Fix type hints for register_filter_adapter_class parameters (Sébastien Corbin)
• Fix: Use correct URL when redirecting back to the listing after filtering and deleting form submissions (Sage Abdullah)
• Fix: Fix broken migration when ListBlock is defined with a child_block kwarg (Matt Westcott)
• Fix: Fix saving of empty values in EmbedBlock (Matt Westcott)
• Fix: Sanitize request data when logging method not allowed (Jake Howard)
• Docs: Use tuple instead of set in UniqueConstraint examples for a custom rendition model to avoid spurious migrations (Alec Baron)
• Docs: Document how to turn off StreamField block previews (Shlomo Markowitz)
• Maintenance: Use utf8mb4 charset and collation for MySQL test database (Sage Abdullah)

7.0 LTS (06.05.2025)

 * Add formal support for Django 5.2 (Matt Westcott)
 * Allow validation of required fields to be deferred on saving drafts (Matt Westcott, Sage Abdullah)
</tr></table> 

... (truncated)

Commits

• c445aa7 Version bump to 7.0.6 final
• 87ec63c Release note for CVE-2026-28223 in 7.0.6
• 4bce4cc Release note for CVE-2026-28223 in 6.3.8
• ee39d39 Enforce HTML escaping of all confirmation / warning / error messages
• 467071f Release note for CVE-2026-28222 in 7.0.6
• d571c41 Release note for CVE-2026-28222 in 6.3.8
• 4620423 Correctly escape class, rowspan and colspan attributes in TableBlock HT...
• 4fdbb39 Version bump to 7.0.5
• 59d2ead Release notes for 7.0.5
• cc0c843 Release notes for 6.3.7
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.