Bump wagtail from 4.2.4 to 7.3.1

[dependabot]

Bumps wagtail from 4.2.4 to 7.3.1.

Release notes

Sourced from wagtail's releases.

7.3.1

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
• Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
• Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
• Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
• Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
• Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
• Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)

7.3

• Add support for Django 6.0
• Resize overly large avatar images on upload (Harshit Ranjan)
• Add natural keys for Page and Collection models (Samya Aggarwal)
• Add Loom oEmbed provider (Nick Ivons)
• Add ModelViewSet.pk_path_converter with defaults for IntegerField and UUIDField primary keys (Seb Corbin)
• Improve accessibility for sidebar menu with visual active (expanded) menu item indicators (Vignesh Shivhare)
• Add before_edit_setting / after_edit_setting hooks (Baptiste Mispelon)
• Lower default AVIF encoding quality from 80 to 73 (Thibaud Colas)
• Provide a structured rendering of StreamBlock in comparison view (Taras Panasiuk)
• Add support for settings and custom block layouts for StructBlock (Sage Abdullah)
• Add llms.txt versions of the developer documentation and Wagtail user guide (Thibaud Colas)
• Lower default JPEG and AVIF image quality settings to provide consistent perceptual quality between formats (Thibaud Colas)
• Add support for custom content checks with client-side registration (Thibaud Colas)
• Initial support for autosave (Matt Westcott, Sage Abdullah)
• Fix: Do not try to resolve locale during fixture load (Jake Howard, Seb Corbin)
• Fix: Gracefully handle oEmbed responses with a non-200 status or missing type (Shivam Kumar, Bhavesh Sharma)
• Fix: Keep action button labelled as "Publish" rather than "Schedule to publish" if go-live date has passed (Vishrut Ramraj)
• Fix: Pass accumulated icons to each register_icons hook (Joey Jurjens, Sage Abdullah)
• Fix: Skip revisions that are missing the specified field in StreamField migrations (Joshua Munn)
• Fix: Preserve listing search and filter parameters when redirecting from bulk actions (Sage Abdullah)
• Fix: Ensure that object references within TypedTableBlock are counted in the reference index (Aman Bora)
• Fix: Fix slug auto-generation when slug field is omitted from page edit form (Pravin Kamble)
• Fix: Ensure request.is_preview and request.preview_mode are set for password-required responses (Ishtpreet Singh)
• Fix: Optimise storage of redirect paths containing Unicode characters and ensure percent-encoded characters are matched case-insensitively (Andy Babic, Florin Barnea, Aman Bora, Matt Westcott)
• Fix: Ensure that reference index records are deleted when the target object is deleted (bettercallok)
• Fix: Ensure filters are applied to export button URLs in custom page listings (Ritik Arya, Sage Abdullah)
• Fix: Prevent conflicting IDs in nested StructBlocks with blocks named content (Sage Abdullah, Serkan Korkusuz)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)
• Docs: Recommend running purge_embeds after an embed provider changes policies (Paul Souders)
• Docs: Document WAGTAILIMAGES_FORMAT_CONVERSIONS in the settings docs (David Buxton)
• Docs: Wording changes to Draftail extension docs to improve searchability (Lasse Schmieding)
• Docs: Fix StreamField param name (Baptiste Mispelon)
• Docs: Clarify that before_delete_page and similar hooks only trigger on the individual page view, not bulk actions (Shivam Kumar)
• Docs: Clarify template location in custom user model documentation (Akhil Muraleedharan)
• Docs: Improve signposting for contributor docs (Matt Westcott)
• Docs: Add mention of novalidate attribute in form builder docs (Thibaud Colas)
• Docs: Fix formatting for PageQuerySet.prefetch_related performance note (Lasse Schmieding)
• Docs: Fix path to search.html in tutorial (Lee Hart)
• Docs: Grammar fixes to contributor guidelines (Biswajeet Yadav)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.3.1 (03.03.2026)

 * Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
 * Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
 * Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
 * Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
 * Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
 * Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
 * Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
 * Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)
7.3 (03.02.2026)

 * Add support for Django 6.0
 * Resize overly large avatar images on upload (Harshit Ranjan)
 * Add natural keys for `Page` and `Collection` models (Samya Aggarwal)
 * Add Loom oEmbed provider (Nick Ivons)
 * Add `ModelViewSet.pk_path_converter` with defaults for `IntegerField` and `UUIDField` primary keys (Seb Corbin)
 * Improve accessibility for sidebar menu with visual active (expanded) menu item indicators (Vignesh Shivhare)
 * Add `before_edit_setting` / `after_edit_setting` hooks (Baptiste Mispelon)
 * Lower default AVIF encoding quality from 80 to 73 (Thibaud Colas)
 * Provide a structured rendering of `StreamBlock` in comparison view (Taras Panasiuk)
 * Add support for settings and custom block layouts for StructBlock (Sage Abdullah)
 * Add llms.txt versions of the developer documentation and Wagtail user guide (Thibaud Colas)
 * Lower default JPEG and AVIF image quality settings to provide consistent perceptual quality between formats (Thibaud Colas)
 * Add support for custom content checks with client-side registration (Thibaud Colas)
 * Initial support for autosave (Matt Westcott, Sage Abdullah)
 * Fix: Do not try to resolve locale during fixture load (Jake Howard, Seb Corbin)
 * Fix: Gracefully handle oEmbed responses with a non-200 status or missing type (Shivam Kumar, Bhavesh Sharma)
 * Fix: Keep action button labelled as "Publish" rather than "Schedule to publish" if go-live date has passed (Vishrut Ramraj)
 * Fix: Pass accumulated icons to each `register_icons` hook (Joey Jurjens, Sage Abdullah)
 * Fix: Skip revisions that are missing the specified field in StreamField migrations (Joshua Munn)
 * Fix: Preserve listing search and filter parameters when redirecting from bulk actions (Sage Abdullah)
 * Fix: Ensure that object references within `TypedTableBlock` are counted in the reference index (Aman Bora)
 * Fix: Fix slug auto-generation when slug field is omitted from page edit form (Pravin Kamble)
 * Fix: Ensure `request.is_preview` and `request.preview_mode` are set for password-required responses (Ishtpreet Singh)
 * Fix: Optimise storage of redirect paths containing Unicode characters and ensure percent-encoded characters are matched case-insensitively (Andy Babic, Florin Barnea, Aman Bora, Matt Westcott)
 * Fix: Ensure that reference index records are deleted when the target object is deleted (bettercallok)
 * Fix: Ensure filters are applied to export button URLs in custom page listings (Ritik Arya, Sage Abdullah)
 * Fix: Prevent conflicting IDs in nested `StructBlock`s with blocks named `content` (Sage Abdullah, Serkan Korkusuz)
 * Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)
 * Docs: Recommend running `purge_embeds` after an embed provider changes policies (Paul Souders)
 * Docs: Document `WAGTAILIMAGES_FORMAT_CONVERSIONS` in the settings docs (David Buxton)
 * Docs: Wording changes to Draftail extension docs to improve searchability (Lasse Schmieding)
 * Docs: Fix StreamField param name (Baptiste Mispelon)
 * Docs: Clarify that `before_delete_page` and similar hooks only trigger on the individual page view, not bulk actions (Shivam Kumar)
 * Docs: Clarify template location in custom user model documentation (Akhil Muraleedharan)
</tr></table> 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>

<li><a href="https://github.com/wagtail/wagtail/commit/136e2f65957314f26bd2632adec08fe5ef9a1e25&quot;&gt;&lt;code&gt;136e2f6&lt;/code&gt;&lt;/a> Release note for updating semgrep to 1.150.0 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/21177fedc20ba1728aa3ca01f49d490543861ed2&quot;&gt;&lt;code&gt;21177fe&lt;/code&gt;&lt;/a> Version bump to 7.3.1 final</li>

<li><a href="https://github.com/wagtail/wagtail/commit/06750d47de2ff9b22b37ff56949c1abb325e0d96&quot;&gt;&lt;code&gt;06750d4&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.3.1</li>

<li><a href="https://github.com/wagtail/wagtail/commit/1b971d0ba7020c1bf5814851eb1ca82ce537245f&quot;&gt;&lt;code&gt;1b971d0&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/3aada716a7ba92d0c73f78e8c17586fe372088ae&quot;&gt;&lt;code&gt;3aada71&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 7.0.6</li>

<li><a href="https://github.com/wagtail/wagtail/commit/804ed3bce26c60bc56763947a612269b816cb2b7&quot;&gt;&lt;code&gt;804ed3b&lt;/code&gt;&lt;/a> Release note for CVE-2026-28223 in 6.3.8</li>

<li><a href="https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19&quot;&gt;&lt;code&gt;ba70244&lt;/code&gt;&lt;/a> Enforce HTML escaping of all confirmation / warning / error messages</li>

<li><a href="https://github.com/wagtail/wagtail/commit/423934efd88565b1bd2feea735cbacb8df35cb6c&quot;&gt;&lt;code&gt;423934e&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.3.1</li>

<li><a href="https://github.com/wagtail/wagtail/commit/a2db131d3f9bf2baa4256cb6c141691947f5f1b4&quot;&gt;&lt;code&gt;a2db131&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.2.3</li>

<li><a href="https://github.com/wagtail/wagtail/commit/16bbf260f6faa8674d0ff53a27133223a047d2e5&quot;&gt;&lt;code&gt;16bbf26&lt;/code&gt;&lt;/a> Release note for CVE-2026-28222 in 7.0.6</li>

<li>Additional commits viewable in <a href="https://github.com/wagtail/wagtail/compare/v4.2.4...v7.3.1&quot;&gt;compare view</a></li>

</ul>

</details>
<br />


You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)



Note

Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Superseded by #1946.