Bump wagtail from 6.3.8 to 7.0.7 in /requirements

[dependabot]

Bumps wagtail from 6.3.8 to 7.0.7.

Release notes

Sourced from wagtail's releases.

7.0.7

• Security fix: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
• Security fix: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
• Security fix: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
• Security fix: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
• Security fix: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
• Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
• Fix: Correctly escape the sizes attribute in responsive image template tags (Jake Howard)
• Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
• Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)

7.0.6

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)

7.0.5

• Remove upper bound on Pillow dependency (Kunal Hemnani)

7.0.4

• Fix: Prevent error on custom generic create and edit views without a header icon (Sage Abdullah)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

7.0.3

• Fix: Prevent crash when previewing a form page with an empty field type (Sage Abdullah)

7.0.2

• Fix: Prevent error when restoring scroll position for cross-domain preview iframe (Sage Abdullah)
• Fix: Remove ngram parser on MySQL that prevented autocomplete search from returning results (Vince Salvino)
• Fix: Ensure the editing of translation alias pages correctly shows links to the source page if the alias was created from a draft (Dan Braghis)

7.0.1

• Fix: Fix type hints for register_filter_adapter_class parameters (Sébastien Corbin)
• Fix: Use correct URL when redirecting back to the listing after filtering and deleting form submissions (Sage Abdullah)
• Fix: Fix broken migration when ListBlock is defined with a child_block kwarg (Matt Westcott)
• Fix: Fix saving of empty values in EmbedBlock (Matt Westcott)
• Fix: Sanitize request data when logging method not allowed (Jake Howard)
• Docs: Use tuple instead of set in UniqueConstraint examples for a custom rendition model to avoid spurious migrations (Alec Baron)
• Docs: Document how to turn off StreamField block previews (Shlomo Markowitz)
• Maintenance: Use utf8mb4 charset and collation for MySQL test database (Sage Abdullah)

7.0 LTS

• Add formal support for Django 5.2 (Matt Westcott)
• Allow validation of required fields to be deferred on saving drafts (Matt Westcott, Sage Abdullah)
• Add WAGTAIL_ prefix to Wagtail-specific tag settings (Aayushman Singh)
• Implement normalize on TypedTableBlock to assist with setting default and preview_value (Sage Abdullah)
• Apply normalization when modifying a StreamBlock's value to assist with programmatic changes to StreamField (Matt Westcott)
• Allow a custom image rendition model to define its unique constraint with models.UniqueConstraint instead of unique_together (Oliver Parker, Cynthia Kiser, Sage Abdullah)
• Default to the standard tokenizer on Elasticsearch, to correctly handle numbers as tokens (Matt Westcott)
• Add color-scheme meta tag to Wagtail admin (Ashish Nagmoti)
• Add the ability to set the default privacy restriction for new pages using get_default_privacy_setting (Shlomo Markowitz)

... (truncated)

Changelog

Sourced from wagtail's changelog.

7.0.7 (05.05.2026)

 * Fix: CVE-2026-44197: Improper permission handling when comparing revisions (Seoyoung Kang, Jake Howard)
 * Fix: CVE-2026-44198: Improper permission handling when viewing page history (Seoyoung Kang, Jake Howard, Dan Braghis)
 * Fix: CVE-2026-44199: Improper permission handling when deleting form submissions (Vishal Shukla, Jake Howard)
 * Fix: CVE-2026-44200: Improper permission handling when copying pages (Sanjok Karki, Matt Westcott)
 * Fix: CVE-2026-44201: Improper restriction handling on Documents and Images API (Sanjok Karki, Jake Howard)
 * Fix: Index the contents of image descriptions as well as titles, for CMS search (Advik Sharma)
 * Fix: Correctly escape the `sizes` attribute in responsive image template tags (Jake Howard)
 * Fix: Add accessible label to userbar aside element for accessibility (Kalash Kumari Thakur)
 * Fix: Prevent incorrect concurrent editing conflict notifications when doing a manual save (Sage Abdullah)
7.0.6 (03.03.2026)

• Fix: CVE-2026-28222: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes (Guan Chenxian, Matt Westcott)
• Fix: CVE-2026-28223: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface (Guan Chenxian, Matt Westcott)

7.0.5 (12.02.2026)

 * Remove upper bound on Pillow dependency (Kunal Hemnani)
7.0.4 (03.02.2026)

• Fix: Prevent error on custom generic create and edit views without a header icon (Sage Abdullah)
• Fix: CVE-2026-25517: Improper permission handling on admin preview endpoints (thxtech, Matt Westcott, Jake Howard)

7.0.3 (28.08.2025)

 * Fix: Prevent crash when previewing a form page with an empty field type (Sage Abdullah)
7.0.2 (24.07.2025)

• Fix: Prevent error when restoring scroll position for cross-domain preview iframe (Sage Abdullah)
• Fix: Remove ngram parser on MySQL that prevented autocomplete search from returning results (Vince Salvino)
• Fix: Ensure the editing of translation alias pages correctly shows links to the source page if the alias was created from a draft (Dan Braghis)

7.0.1 (12.06.2025)

 * Fix: Fix type hints for `register_filter_adapter_class` parameters (Sébastien Corbin)
 * Fix: Use correct URL when redirecting back to the listing after filtering and deleting form submissions (Sage Abdullah)
</tr></table> 

... (truncated)

Commits

• cb3ed5a ruff format
• 195962f Version bump to 7.0.7 final
• 3da9b74 Release notes for security fixes in 7.0.7
• c75351b Fix permission check on creating alias
• c731322 Fix permission handling on page copy
• 052caa0 Exclude view-restricted collections from document and images API
• 2aa9694 Only support deleting form submissions for the chosen page
• bdfb723 Add test
• 585cb02 Check object permissions in PageHistoryView
• d8e88bd Change permission test to edit or publish
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.