Bump loofah from 2.0.3 to 2.2.3

[dependabot]

Bumps loofah from 2.0.3 to 2.2.3.

Release notes

Sourced from loofah's releases.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

v2.2.1

Notably, this release mitigates CVE-2018-8048.

Changelog

Sourced from loofah's changelog.

2.2.3 / 2018-10-30

Security

Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at #154

Meta / 2018-10-27

The mailing list is now on Google Groups #146:

• Mail: [email protected]
• Archive: https://groups.google.com/forum/#!forum/loofah-talk

This change was made because librelist no longer appears to be maintained.

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

2.2.1 / 2018-03-19

Security

Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

This CVE's public notice is at #144

2.2.0 / 2018-02-11

Features:

• Support HTML5 <main> tag. #133 (Thanks, @​MothOnMars!)
• Recognize HTML5 block elements. #136 (Thanks, @​MothOnMars!)
• Support SVG <symbol> tag. #131 (Thanks, @​baopham!)
• Support for whitelisting CSS functions, initially just calc and rgb. #122/#123/#129 (Thanks, @​NikoRoberts!)
• Whitelist CSS property list-style-type. #68/#137/#142 (Thanks, @​andela-ysanni and @​NikoRoberts!)

Bugfixes:

• Properly handle nested script tags. #127.

... (truncated)

Commits

• cb3dbfa version bump to v2.2.3 and update CHANGELOG
• 71e4b54 remove the svg animate attribute from from the allowlist
• 3556e2b add formatting to CHANGELOG
• ac7c50d updated mailing list to a new Google Group
• de6b0f3 extract msword html data into an asset file
• 37af4ee version bump to 2.2.2
• 56e95a6 Make public force_correct_attribute_escaping!
• 9452bff use VersionInfo.instance
• 7541374 version bump to 2.2.1
• 70bd089 update Manifest.txt and CHANGELOG.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

[dependabot]

Superseded by #54.