Changelog
### 2.6.1
```
~~~~~~~~~~~~~~~~~~
* Fix: Prevent Javascript errors caused by unescaped quote characters in translation strings (Matt Westcott)
```
### 2.6
```
~~~~~~~~~~~~~~~~
* Removed support for Python 3.4
* Added support for `short_description` for field labels in modeladmin's `InspectView` (Wesley van Lee)
* Rearranged SCSS folder structure to the client folder and split them approximately according to ITCSS. (Naomi Morduch Toubman, Jonny Scholes, Janneke Janssen, Hugo van den Berg)
* Added support for specifying cell alignment on TableBlock (Samuel Mendes)
* Added more informative error when a non-image object is passed to the `image` template tag (Deniz Dogan)
* Added more ARIA landmarks across the admin interface and welcome page for screen reader users to navigate the CMS more easily (Beth Menzies)
* Added ButtonHelper examples in the modelAdmin primer page within documentation (Kalob Taulien)
* Multiple clarifications, grammar and typo fixes throughout documentation (Dan Swain)
* Use correct URL in API example in documentation (Michael Bunsen)
* Move datetime widget initialiser JS into the widget's form media instead of page editor media (Matt Westcott)
* Add form field prefixes for input forms in chooser modals (Matt Westcott)
* Increase font-size across the whole admin (Beth Menzies, Katie Locke)
* Improved text color contrast across the whole admin (Beth Menzies, Katie Locke)
* Added consistent focus outline styles across the whole admin (Thibaud Colas)
* Removed version number from the logo link’s title. The version can now be found under the Settings menu (Thibaud Colas)
* Added "don't delete" option to confirmation screen when deleting images, documents and modeladmin models (Kevin Howbrook)
* Added `branding_title` template block for the admin title prefix (Dillen Meijboom)
* Add image dimensions in image gallery and image choosers for screen reader users (Helen Chapman)
* Added support for custom search handler classes to modeladmin's IndexView, and added a class that uses the default Wagtail search backend for searching (Seb Brown, Andy Babic)
* Improved heading structure for screen reader users navigating the CMS admin (Beth Menzies, Helen Chapman)
* Updated group edit view to expose the Permission object for each checkbox (George Hickman)
* Improve performance of Pages for Moderation panel (Fidel Ramos)
* Add more contextual information for screen readers in the explorer menu’s links (Helen Chapman)
* Added `process_child_object` and `exclude_fields` arguments to ``Page.copy()`` to make it easier for third-party apps to customise copy behavior (Karl Hobley)
* Added `Page.with_content_json()`, allowing revision content loading behaviour to be customised on a per-model basis (Karl Hobley)
* Improved screen-reader labels for action links in page listing (Helen Chapman, Katie Locke)
* Added screen-reader labels for table headings in page listing (Helen Chapman, Katie Locke)
* Added screen reader labels for page privacy toggle, edit lock, status tag in page explorer & edit views (Helen Chapman, Katie Locke)
* Added screen-reader labels for dashboard summary cards (Helen Chapman, Katie Locke)
* Added screen-reader labels for privacy toggle of collections (Helen Chapman, Katie Locke)
* Added `construct_settings_menu` hook (Jordan Bauer, Quadric)
* Fixed compatibility of date / time choosers with wagtail-react-streamfield (Mike Hearn)
* Performance optimization of several admin functions, including breadcrumbs, home and index pages (Fidel Ramos)
* Fix: ModelAdmin no longer fails when filtering over a foreign key relation (Jason Dilworth, Matt Westcott)
* Fix: The Wagtail version number is now visible within the Settings menu (Kevin Howbrook)
* Fix: Scaling images now rounds values to an integer so that images render without errors (Adrian Brunyate)
* Fix: Revised test decorator to ensure TestPageEditHandlers test cases run correctly (Alex Tomkins)
* Fix: Wagtail bird animation in admin now ends correctly on all browsers (Deniz Dogan)
* Fix: Explorer menu no longer shows sibling pages for which the user does not have access (Mike Hearn)
* Fix: Fixed occurences of invalid HTML across the CMS admin (Thibaud Colas)
* Fix: Admin HTML now includes the correct `dir` attribute for the active language (Andreas Bernacca)
* Fix: Fix type error when using `--chunk_size` argument on `./manage.py update_index` (Seb Brown)
* Fix: Avoid rendering entire form in EditHandler's `repr` method (Alex Tomkins)
* Fix: Add empty alt attributes to HTML output of Embedly and oEmbed embed finders (Andreas Bernacca)
* Fix: Add empty alt attributes to all images in the CMS admin (Andreas Bernacca)
* Fix: Make URL generator preview image alt translateable (Thibaud Colas)
* Fix: Clear pending AJAX request if error occurs on page chooser (Matt Westcott)
* Fix: Prevent text from overlapping in focal point editing UI (Beth Menzies)
* Fix: Screen readers now announce "Dashboard" for the main nav’s logo link instead of Wagtail’s version number (Thibaud Colas)
* Fix: Screen readers now treat page-level action dropdowns as navigation instead of menus (Helen Chapman)
* Fix: Make icon font implementation more screen-reader-friendly (Thibaud Colas)
* Fix: Remove duplicate labels in image gallery and image choosers for screen reader users (Helen Chapman)
* Fix: Restore custom "Date" icon for scheduled publishing panel in Edit page’s Settings tab (Helen Chapman)
* Fix: Added missing form media to user edit form template (Matt Westcott)
* Fix: Add a label to the modals’ “close” button for screen reader users (Helen Chapman, Katie Locke)
* Fix: Ensure the 'add child page' button displays when focused (Helen Chapman, Katie Locke)
* Fix: Remove tab order customisations in CMS admin (Jordan Bauer)
* Fix: Add labels to permission checkboxes for screen reader users (Helen Chapman, Katie Locke)
* Fix: Page.copy() no longer copies child objects when the accesssor name is included in `exclude_fields_in_copy` (Karl Hobley)
* Fix: Move focus to the pages explorer menu when open (Helen Chapman)
* Fix: Clicking the privacy toggle while the page is still loading no longer loads the wrong data in the page (Helen Chapman)
* Fix: Added missing `is_stored_locally` method to `AbstractDocument` (jonny5532)
* Fix: Query model no longer removes punctuation as part of string normalisation (William Blackie)
* Fix: Make login test helper work with user models with non-default username fields (Andrew Miller)
* Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas)
```
### 2.5.2
```
~~~~~~~~~~~~~~~~~~
* Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas)
```
Links
- PyPI: https://pypi.org/project/wagtail
- Changelog: https://pyup.io/changelogs/wagtail/
- Homepage: http://wagtail.io/
Changelog
### 2.2.4
```
==========================
*August 1, 2019*
Django 2.2.4 fixes security issues and several bugs in 2.2.3.
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
================================================================================
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
were passed the ``html=True`` argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
filters, which were thus vulnerable.
The regular expressions used by ``Truncator`` have been simplified in order to
avoid potential backtracking issues. As a consequence, trailing punctuation may
now at times be included in the truncated output.
CVE-2019-14233: Denial-of-service possibility in ``strip_tags()``
=================================================================
Due to the behavior of the underlying ``HTMLParser``,
:func:`django.utils.html.strip_tags` would be extremely slow to evaluate
certain inputs containing large sequences of nested incomplete HTML entities.
The ``strip_tags()`` method is used to implement the corresponding
:tfilter:`striptags` template filter, which was thus also vulnerable.
``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress
removing tags, but necessarily incomplete HTML entities, stops being made.
Remember that absolutely NO guarantee is provided about the results of
``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
``strip_tags()`` call without escaping it first, for example with
:func:`django.utils.html.escape`.
CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField``
====================================================================================================
:lookup:`Key and index lookups <jsonfield.key>` for
:class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
were subject to SQL injection, using a suitably crafted dictionary, with
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
=====================================================================================
If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
to significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.
``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.
Bugfixes
========
* Fixed a regression in Django 2.2 when ordering a ``QuerySet.union()``,
``intersection()``, or ``difference()`` by a field type present more than
once results in the wrong ordering being used (:ticket:`30628`).
* Fixed a migration crash on PostgreSQL when adding a check constraint
with a ``contains`` lookup on
:class:`~django.contrib.postgres.fields.DateRangeField` or
:class:`~django.contrib.postgres.fields.DateTimeRangeField`, if the right
hand side of an expression is the same type (:ticket:`30621`).
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path
contains nulls characters (``'\x00'``) (:ticket:`30506`).
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation
directory cannot be resolved (:ticket:`30647`).
==========================
```
Links
- PyPI: https://pypi.org/project/django
- Changelog: https://pyup.io/changelogs/django/
- Homepage: https://www.djangoproject.com/
Update wagtail from 2.5.1 to 2.6.1.
Changelog
### 2.6.1 ``` ~~~~~~~~~~~~~~~~~~ * Fix: Prevent Javascript errors caused by unescaped quote characters in translation strings (Matt Westcott) ``` ### 2.6 ``` ~~~~~~~~~~~~~~~~ * Removed support for Python 3.4 * Added support for `short_description` for field labels in modeladmin's `InspectView` (Wesley van Lee) * Rearranged SCSS folder structure to the client folder and split them approximately according to ITCSS. (Naomi Morduch Toubman, Jonny Scholes, Janneke Janssen, Hugo van den Berg) * Added support for specifying cell alignment on TableBlock (Samuel Mendes) * Added more informative error when a non-image object is passed to the `image` template tag (Deniz Dogan) * Added more ARIA landmarks across the admin interface and welcome page for screen reader users to navigate the CMS more easily (Beth Menzies) * Added ButtonHelper examples in the modelAdmin primer page within documentation (Kalob Taulien) * Multiple clarifications, grammar and typo fixes throughout documentation (Dan Swain) * Use correct URL in API example in documentation (Michael Bunsen) * Move datetime widget initialiser JS into the widget's form media instead of page editor media (Matt Westcott) * Add form field prefixes for input forms in chooser modals (Matt Westcott) * Increase font-size across the whole admin (Beth Menzies, Katie Locke) * Improved text color contrast across the whole admin (Beth Menzies, Katie Locke) * Added consistent focus outline styles across the whole admin (Thibaud Colas) * Removed version number from the logo link’s title. The version can now be found under the Settings menu (Thibaud Colas) * Added "don't delete" option to confirmation screen when deleting images, documents and modeladmin models (Kevin Howbrook) * Added `branding_title` template block for the admin title prefix (Dillen Meijboom) * Add image dimensions in image gallery and image choosers for screen reader users (Helen Chapman) * Added support for custom search handler classes to modeladmin's IndexView, and added a class that uses the default Wagtail search backend for searching (Seb Brown, Andy Babic) * Improved heading structure for screen reader users navigating the CMS admin (Beth Menzies, Helen Chapman) * Updated group edit view to expose the Permission object for each checkbox (George Hickman) * Improve performance of Pages for Moderation panel (Fidel Ramos) * Add more contextual information for screen readers in the explorer menu’s links (Helen Chapman) * Added `process_child_object` and `exclude_fields` arguments to ``Page.copy()`` to make it easier for third-party apps to customise copy behavior (Karl Hobley) * Added `Page.with_content_json()`, allowing revision content loading behaviour to be customised on a per-model basis (Karl Hobley) * Improved screen-reader labels for action links in page listing (Helen Chapman, Katie Locke) * Added screen-reader labels for table headings in page listing (Helen Chapman, Katie Locke) * Added screen reader labels for page privacy toggle, edit lock, status tag in page explorer & edit views (Helen Chapman, Katie Locke) * Added screen-reader labels for dashboard summary cards (Helen Chapman, Katie Locke) * Added screen-reader labels for privacy toggle of collections (Helen Chapman, Katie Locke) * Added `construct_settings_menu` hook (Jordan Bauer, Quadric) * Fixed compatibility of date / time choosers with wagtail-react-streamfield (Mike Hearn) * Performance optimization of several admin functions, including breadcrumbs, home and index pages (Fidel Ramos) * Fix: ModelAdmin no longer fails when filtering over a foreign key relation (Jason Dilworth, Matt Westcott) * Fix: The Wagtail version number is now visible within the Settings menu (Kevin Howbrook) * Fix: Scaling images now rounds values to an integer so that images render without errors (Adrian Brunyate) * Fix: Revised test decorator to ensure TestPageEditHandlers test cases run correctly (Alex Tomkins) * Fix: Wagtail bird animation in admin now ends correctly on all browsers (Deniz Dogan) * Fix: Explorer menu no longer shows sibling pages for which the user does not have access (Mike Hearn) * Fix: Fixed occurences of invalid HTML across the CMS admin (Thibaud Colas) * Fix: Admin HTML now includes the correct `dir` attribute for the active language (Andreas Bernacca) * Fix: Fix type error when using `--chunk_size` argument on `./manage.py update_index` (Seb Brown) * Fix: Avoid rendering entire form in EditHandler's `repr` method (Alex Tomkins) * Fix: Add empty alt attributes to HTML output of Embedly and oEmbed embed finders (Andreas Bernacca) * Fix: Add empty alt attributes to all images in the CMS admin (Andreas Bernacca) * Fix: Make URL generator preview image alt translateable (Thibaud Colas) * Fix: Clear pending AJAX request if error occurs on page chooser (Matt Westcott) * Fix: Prevent text from overlapping in focal point editing UI (Beth Menzies) * Fix: Screen readers now announce "Dashboard" for the main nav’s logo link instead of Wagtail’s version number (Thibaud Colas) * Fix: Screen readers now treat page-level action dropdowns as navigation instead of menus (Helen Chapman) * Fix: Make icon font implementation more screen-reader-friendly (Thibaud Colas) * Fix: Remove duplicate labels in image gallery and image choosers for screen reader users (Helen Chapman) * Fix: Restore custom "Date" icon for scheduled publishing panel in Edit page’s Settings tab (Helen Chapman) * Fix: Added missing form media to user edit form template (Matt Westcott) * Fix: Add a label to the modals’ “close” button for screen reader users (Helen Chapman, Katie Locke) * Fix: Ensure the 'add child page' button displays when focused (Helen Chapman, Katie Locke) * Fix: Remove tab order customisations in CMS admin (Jordan Bauer) * Fix: Add labels to permission checkboxes for screen reader users (Helen Chapman, Katie Locke) * Fix: Page.copy() no longer copies child objects when the accesssor name is included in `exclude_fields_in_copy` (Karl Hobley) * Fix: Move focus to the pages explorer menu when open (Helen Chapman) * Fix: Clicking the privacy toggle while the page is still loading no longer loads the wrong data in the page (Helen Chapman) * Fix: Added missing `is_stored_locally` method to `AbstractDocument` (jonny5532) * Fix: Query model no longer removes punctuation as part of string normalisation (William Blackie) * Fix: Make login test helper work with user models with non-default username fields (Andrew Miller) * Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas) ``` ### 2.5.2 ``` ~~~~~~~~~~~~~~~~~~ * Fix: Delay dirty form check to prevent "unsaved changes" warning from being wrongly triggered (Thibaud Colas) ```Links
- PyPI: https://pypi.org/project/wagtail - Changelog: https://pyup.io/changelogs/wagtail/ - Homepage: http://wagtail.io/Update Django from 2.2.3 to 2.2.4.
Changelog
### 2.2.4 ``` ========================== *August 1, 2019* Django 2.2.4 fixes security issues and several bugs in 2.2.3. CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator`` ================================================================================ If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were passed the ``html=True`` argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The ``chars()`` and ``words()`` methods are used to implement the :tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template filters, which were thus vulnerable. The regular expressions used by ``Truncator`` have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. CVE-2019-14233: Denial-of-service possibility in ``strip_tags()`` ================================================================= Due to the behavior of the underlying ``HTMLParser``, :func:`django.utils.html.strip_tags` would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The ``strip_tags()`` method is used to implement the corresponding :tfilter:`striptags` template filter, which was thus also vulnerable. ``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress removing tags, but necessarily incomplete HTML entities, stops being made. Remember that absolutely NO guarantee is provided about the results of ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without escaping it first, for example with :func:`django.utils.html.escape`. CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField`` ==================================================================================================== :lookup:`Key and index lookups <jsonfield.key>` for :class:`~django.contrib.postgres.fields.JSONField` and :lookup:`key lookups <hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField` were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``. CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()`` ===================================================================================== If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead to significant memory usage due to excessive recursion when re-percent-encoding invalid UTF-8 octet sequences. ``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8 octet sequences. Bugfixes ======== * Fixed a regression in Django 2.2 when ordering a ``QuerySet.union()``, ``intersection()``, or ``difference()`` by a field type present more than once results in the wrong ordering being used (:ticket:`30628`). * Fixed a migration crash on PostgreSQL when adding a check constraint with a ``contains`` lookup on :class:`~django.contrib.postgres.fields.DateRangeField` or :class:`~django.contrib.postgres.fields.DateTimeRangeField`, if the right hand side of an expression is the same type (:ticket:`30621`). * Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters (``'\x00'``) (:ticket:`30506`). * Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved (:ticket:`30647`). ========================== ```Links
- PyPI: https://pypi.org/project/django - Changelog: https://pyup.io/changelogs/django/ - Homepage: https://www.djangoproject.com/Update django-autoslug from 1.9.5 to 1.9.6.
Changelog
### 1.9.6 ``` ------------------ Handle timezones for datetime fields ```Links
- PyPI: https://pypi.org/project/django-autoslug - Changelog: https://pyup.io/changelogs/django-autoslug/ - Repo: https://github.com/justinmayer/django-autoslug/archive/master.zip - Docs: https://pythonhosted.org/django-autoslug/Update flake8-docstrings from 1.3.0 to 1.3.1.
The bot wasn't able to find a changelog for this release. Got an idea?
Links
- PyPI: https://pypi.org/project/flake8-docstrings - Repo: https://gitlab.com/pycqa/flake8-docstrings