chore(deps): bump wagtail from 7.2.3 to 7.3.2 in /requirements

[dependabot]

Bumps wagtail from 7.2.3 to 7.3.2.

Release notes

Sourced from wagtail's releases.

7.3.2

• Security fix: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
• Security fix: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
• Security fix: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
• Security fix: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
• Security fix: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
• Fix: Use protocol-relative URLs in the userbar for compatibility with environments where Django does not detect the protocol (Sage Abdullah)
• Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
• Fix: Avoid creating a new editing session when updating UI elements after an autosave (Sage Abdullah)
• Fix: Group audit log entries for autosave operations in page history view (Sage Abdullah)
• Fix: Retain page explorer header buttons when searching or filtering (Sage Abdullah)
• Fix: Correctly escape the sizes attribute in responsive image template tags (Jake Howard)
• Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
• Fix: Pause SessionController pings during autosave to prevent conflict notification with own session (Sage Abdullah)
• Fix: Ensure live preview does not get stuck when edits occur during an in-progress update (Aniket Singh)
• Fix: Ensure only one autosave request can happen at a time to prevent incorrect conflict notifications with the current session (Sage Abdullah)
• Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)

7.3.1

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
• Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
• Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
• Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
• Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
• Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
• Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)

7.3

• Add support for Django 6.0
• Resize overly large avatar images on upload (Harshit Ranjan)
• Add natural keys for Page and Collection models (Samya Aggarwal)
• Add Loom oEmbed provider (Nick Ivons)
• Add ModelViewSet.pk_path_converter with defaults for IntegerField and UUIDField primary keys (Seb Corbin)
• Improve accessibility for sidebar menu with visual active (expanded) menu item indicators (Vignesh Shivhare)
• Add before_edit_setting / after_edit_setting hooks (Baptiste Mispelon)
• Lower default AVIF encoding quality from 80 to 73 (Thibaud Colas)
• Provide a structured rendering of StreamBlock in comparison view (Taras Panasiuk)
• Add support for settings and custom block layouts for StructBlock (Sage Abdullah)
• Add llms.txt versions of the developer documentation and Wagtail user guide (Thibaud Colas)
• Lower default JPEG and AVIF image quality settings to provide consistent perceptual quality between formats (Thibaud Colas)
• Add support for custom content checks with client-side registration (Thibaud Colas)
• Initial support for autosave (Matt Westcott, Sage Abdullah)
• Fix: Do not try to resolve locale during fixture load (Jake Howard, Seb Corbin)
• Fix: Gracefully handle oEmbed responses with a non-200 status or missing type (Shivam Kumar, Bhavesh Sharma)
• Fix: Keep action button labelled as "Publish" rather than "Schedule to publish" if go-live date has passed (Vishrut Ramraj)
• Fix: Pass accumulated icons to each register_icons hook (Joey Jurjens, Sage Abdullah)
• Fix: Skip revisions that are missing the specified field in StreamField migrations (Joshua Munn)
• Fix: Preserve listing search and filter parameters when redirecting from bulk actions (Sage Abdullah)
• Fix: Ensure that object references within TypedTableBlock are counted in the reference index (Aman Bora)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.3.2 (05.05.2026)

 * Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
 * Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
 * Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
 * Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
 * Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
 * Fix: Use protocol-relative URLs in the userbar for compatibility with environments where Django does not detect the protocol (Sage Abdullah)
 * Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
 * Fix: Avoid creating a new editing session when updating UI elements after an autosave (Sage Abdullah)
 * Fix: Group audit log entries for autosave operations in page history view (Sage Abdullah)
 * Fix: Retain page explorer header buttons when searching or filtering (Sage Abdullah)
 * Fix: Correctly escape the `sizes` attribute in responsive image template tags (Jake Howard)
 * Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
 * Fix: Pause SessionController pings during autosave to prevent conflict notification with own session (Sage Abdullah)
 * Fix: Ensure live preview does not get stuck when edits occur during an in-progress update (Aniket Singh)
 * Fix: Ensure only one autosave request can happen at a time to prevent incorrect conflict notifications with the current session (Sage Abdullah)
 * Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)
7.3.1 (03.03.2026)

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)
• Fix: Update dependencies to allow django-modelsearch 1.2 and django-tasks 0.11
• Fix: Fix duplicate inline panel items when editing snippets with autosave enabled (Sage Abdullah)
• Fix: Prevent dropdowns from closing after a successful autosave (Sage Abdullah)
• Fix: Show placeholder image icons when image upload previews fail (Collins Kubu)
• Fix: Ensure that 'create' form within choosers is not hidden on validation errors (Ankit Chaudhary)
• Maintenance: Update semgrep to 1.150.0 (Pravin Kamble)

7.3 (03.02.2026)

 * Add support for Django 6.0
 * Resize overly large avatar images on upload (Harshit Ranjan)
 * Add natural keys for `Page` and `Collection` models (Samya Aggarwal)
 * Add Loom oEmbed provider (Nick Ivons)
 * Add `ModelViewSet.pk_path_converter` with defaults for `IntegerField` and `UUIDField` primary keys (Seb Corbin)
 * Improve accessibility for sidebar menu with visual active (expanded) menu item indicators (Vignesh Shivhare)
 * Add `before_edit_setting` / `after_edit_setting` hooks (Baptiste Mispelon)
 * Lower default AVIF encoding quality from 80 to 73 (Thibaud Colas)
 * Provide a structured rendering of `StreamBlock` in comparison view (Taras Panasiuk)
 * Add support for settings and custom block layouts for StructBlock (Sage Abdullah)
 * Add llms.txt versions of the developer documentation and Wagtail user guide (Thibaud Colas)
 * Lower default JPEG and AVIF image quality settings to provide consistent perceptual quality between formats (Thibaud Colas)
 * Add support for custom content checks with client-side registration (Thibaud Colas)
 * Initial support for autosave (Matt Westcott, Sage Abdullah)
</tr></table> 

... (truncated)

Commits

• e6a58de Update Wagtail dependency in project template
• 9934e4c ruff format
• 1c74ccc Version bump to 7.3.2 final
• 7683d65 Release notes for security fixes in 7.3.2
• 44cbc72 Fix permission check on creating alias
• 6245866 Fix permission handling on page copy
• adbe3b3 Exclude view-restricted collections from document and images API
• 8613e18 Only support deleting form submissions for the chosen page
• 195f0cf Add test
• 37b0be8 Check object permissions in PageHistoryView
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[matrixise]

Wagtail 7.2.3 → 7.3.2 — Upgrade Notes

Why merge this promptly

This release includes 8 security fixes across 7.3.0 / 7.3.1 / 7.3.2:

CVE	Description
CVE-2026-25517	Missing permission check on admin preview endpoints
CVE-2026-28222	Stored XSS via TableBlock class attributes
CVE-2026-28223	Stored XSS in simple_translation admin interface
CVE-2026-44197	Improper permission handling when comparing revisions
CVE-2026-44198	Improper permission handling when viewing page history
CVE-2026-44199	Improper permission handling when deleting form submissions
CVE-2026-44200	Improper permission handling when copying pages
CVE-2026-44201	Improper restriction on Documents and Images API

---

Steps to run after merging

# 1. Rebuild the Docker image (picks up the new Wagtail version)
task docker:build

# 2. Run database migrations
task django:migrate

# 3. Recollect static files (clears stale Wagtail admin JS/CSS)
docker compose run --rm web python pythonie/manage.py collectstatic --clear --noinput

# 4. Hard-refresh the browser to flush cached admin assets
# macOS: Cmd+Shift+R  /  Windows/Linux: Ctrl+Shift+R

For production (Heroku):

task heroku:migrate
task heroku:restart

---

Behaviour changes to be aware of

1. Autosave enabled by default

Pages and snippets with RevisionMixin now autosave every 60 seconds in the editor. Editors will notice this immediately. To disable or adjust the interval:

WAGTAIL_AUTOSAVE_INTERVAL = 0    # 0 = disabled
# WAGTAIL_AUTOSAVE_INTERVAL = 180  # custom interval in seconds

2. Image quality defaults lowered (new renditions only)

Existing cached renditions are not affected — only images generated after the upgrade.

Format	Old default	New default
JPEG	85	76
AVIF	80	61
WebP	80	80 (unchanged)

To restore the previous quality:

WAGTAILIMAGES_JPEG_QUALITY = 85
WAGTAILIMAGES_AVIF_QUALITY = 80

3. Potentially slow migration on large databases

Wagtail 7.3 adds composite indexes on wagtailcore_pagelogentry and wagtailcore_modellogentry. On large databases this can take several minutes. If you previously created these indexes manually, fake the migration instead:

python pythonie/manage.py migrate --fake wagtailcore 0097 \
  --settings=pythonie.settings.production

---

Full migration notes are tracked in wagtail-migration.md.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.