Bump wagtail from 2.3 to 2.7.4
Created by: dependabot[bot]
Bumps wagtail from 2.3 to 2.7.4.
Release notes
Sourced from wagtail's releases.
2.7.4
- CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott)
- Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)
2.7.3
CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)
2.7.2
CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott)
2.7.1
- Fix: Management command startup checks under
ManifestStaticFilesStorage
no longer fail ifcollectstatic
has not been run first (Alex Tomkins)2.7
- Improved StreamField design (Bertrand Bordage)
- Added WebP image support (frmdstryr, Karl Hobley, Matt Westcott)
- Added Elasticsearch 7 support (pySilver)
- Added Python 3.8 support (John Carter, Matt Westcott)
- Added
construct_page_listing_buttons
hook (Michael van Tellingen)- Added more detailed documentation and troubleshooting for installing OpenCV for feature detection (Daniele Procida)
- Added Table Block caption for accessibility (Rahmi Pruitt)
- Move and refactor upgrade notification JS (Jonny Scholes)
- Add ability to insert internal anchor links/links with fragment identifiers in Draftail (rich text) fields (Iman Syed)
- Remove need for Elasticsearch
update_all_types
workaround, upgrade minimum release to 6.4.0 or above (Jonathan Liuti)- Add ability for users to change their own name via the account settings page (Kevin Howbrook)
- Add ability to insert telephone numbers as links in Draftail (rich text) fields (Mikael Engström and Liam Brenner)
- Increase delay before search in the snippet chooser, to prevent redundant search request round trips (Robert Rollins)
- Add
WAGTAIL_EMAIL_MANAGEMENT_ENABLED
setting to determine whether users can change their email address (Janne Alatalo)- Recognise Soundcloud artist URLs as embeddable (Kiril Staikov)
- Add
WAGTAILDOCS_SERVE_METHOD
setting to determine how document downloads will be linked to and served (Tobias McNulty, Matt Westcott)- Add
WAGTAIL_MODERATION_ENABLED
setting to enable / disable the 'Submit for Moderation' option (Jacob Topp-Mugglestone)- Added settings to customise pagination page size for the Images admin area (Brian Whitton)
- Added ARIA role to TableBlock output (Matt Westcott)
- Added cache-busting query parameters to static files within the Wagtail admin (Matt Westcott)
- Allow
register_page_action_menu_item
andconstruct_page_action_menu
hooks to override the default menu action (Rahmi Pruitt, Matt Westcott)WAGTAILIMAGES_MAX_IMAGE_PIXELS
limit now takes the number of animation frames into account (Karl Hobley)- Fix: Added line breaks to long filenames on multiple image / document uploader (Kevin Howbrook)
- Fix: Added https support for Scribd oEmbed provider (Rodrigo)
- Fix: Changed StreamField group labels color so labels are visible (Catherine Farman)
- Fix: Prevented images with a very wide aspect ratio from being displayed distorted in the rich text editor (Iman Syed)
- Fix: Prevent exception when deleting a model with a protected One-to-one relationship (Neal Todd)
- Fix: Added labels to snippet bulk edit checkboxes for screen reader users (Martey Dodoo)
- Fix: Middleware responses during page preview are now properly returned to the user (Matt Westcott)
- Fix: Default text of page links in rich text uses the public page title rather than the admin display title (Andy Chosak)
- Fix: Specific page permission checks are now enforced when viewing a page revision (Andy Chosak)
- Fix:
pageurl
andslugurl
tags no longer fail whenrequest.site
isNone
(Samir Shah)- Fix: Output form media on add/edit image forms with custom models (Matt Westcott)
- Fix: Output form media on add/edit document forms with custom models (Sergey Fedoseev)
- Fix: Layout for the clear checkbox in default FileField widget (Mikalai Radchuk)
- Fix: Remove ASCII conversion from Postgres search backend, to support stemming in non-Latin alphabets (Pavel Denisov)
Changelog
Sourced from wagtail's changelog.
2.7.4 (20.07.2020)
* Fix: CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott) * Fix: Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott) 2.7.3 (04.05.2020)
- Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)
2.7.2 (14.04.2020)
* Fix: CVE-2020-11001 - prevent XSS attack via page revision comparison view (Vlad Gerasimenko, Matt Westcott) 2.7.1 (08.01.2020)
- Fix: Management command startup checks under
ManifestStaticFilesStorage
no longer fail ifcollectstatic
has not been run first (Alex Tomkins)2.7 LTS (06.11.2019)
* Improved StreamField design (Bertrand Bordage) * Added WebP image support (frmdstryr, Karl Hobley, Matt Westcott) * Added Elasticsearch 7 support (pySilver) * Added Python 3.8 support (John Carter, Matt Westcott) * Added `construct_page_listing_buttons` hook (Michael van Tellingen) * Added more detailed documentation and troubleshooting for installing OpenCV for feature detection (Daniele Procida) * Added Table Block caption for accessibility (Rahmi Pruitt) * Move and refactor upgrade notification JS (Jonny Scholes) * Add ability to insert internal anchor links/links with fragment identifiers in Draftail (rich text) fields (Iman Syed) * Remove need for Elasticsearch `update_all_types` workaround, upgrade minimum release to 6.4.0 or above (Jonathan Liuti) * Add ability for users to change their own name via the account settings page (Kevin Howbrook) * Add ability to insert telephone numbers as links in Draftail (rich text) fields (Mikael Engström and Liam Brenner) * Increase delay before search in the snippet chooser, to prevent redundant search request round trips (Robert Rollins) * Add `WAGTAIL_EMAIL_MANAGEMENT_ENABLED` setting to determine whether users can change their email address (Janne Alatalo) * Recognise Soundcloud artist URLs as embeddable (Kiril Staikov) * Add `WAGTAILDOCS_SERVE_METHOD` setting to determine how document downloads will be linked to and served (Tobias McNulty, Matt Westcott) * Add `WAGTAIL_MODERATION_ENABLED` setting to enable / disable the 'Submit for Moderation' option (Jacob Topp-Mugglestone) * Added settings to customise pagination page size for the Images admin area (Brian Whitton) * Added ARIA role to TableBlock output (Matt Westcott) * Added cache-busting query parameters to static files within the Wagtail admin (Matt Westcott) * Allow `register_page_action_menu_item` and `construct_page_action_menu` hooks to override the default menu action (Rahmi Pruitt, Matt Westcott) * `WAGTAILIMAGES_MAX_IMAGE_PIXELS` limit now takes the number of animation frames into account (Karl Hobley) </tr></table> ... (truncated)
Commits
-
c53d060
fix version number reference -
bedc294
Version bump to 2.7.4 -
70719a9
Release note for 2.7.4 -
71dc3c1
Add test to confirm that labels are escaped -
f437ba4
Add warning about WAGTAILFORMS_HELP_TEXT_ALLOW_HTML -
0b80aee
Escape help text in form builder forms by default -
8939583
Expand Pillow dependency to include 7.x -
3f55039
Release note for 2.7.3 -
b3698f9
Version bump to 2.7.3 -
3c03049
Use constant_time_compare for view restriction password checks - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.