Bump sanitize from 4.6.0 to 4.6.4

[dependabot-preview]

Bumps sanitize from 4.6.0 to 4.6.4.

Release notes

Sourced from sanitize's releases.

4.6.4 (2018-03-20)

• Fixed: A change introduced in 4.6.2 broke certain transformers that relied on being able to mutate the name of an HTML node. That change has been reverted and a test has been added to cover this case. [zetter - Bump mocha from 1.3.0 to 1.5.0 #177]177

4.6.3 (2018-03-19)

• CVE-2018-3740: Fixed an HTML injection vulnerability that could allow XSS.

  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

  Sanitize now performs additional escaping on affected attributes to prevent this.

  Many thanks to the Shopify Application Security Team for responsibly reporting this issue.

4.6.2 (2018-03-19)

• Reduced string allocations to optimize memory usage. [janklimo - Bump webpacker from 3.2.2 to 3.4.3 #175]175

4.6.1 (2018-03-15)

• Added support for frozen string literals in Ruby 2.4+. [flavorjones - [Security] Bump loofah from 2.2.0 to 2.2.2 #174]174

Changelog

Sourced from sanitize's changelog.

4.6.4 (2018-03-20)

• Fixed: A change introduced in 4.6.2 broke certain transformers that relied on
  being able to mutate the name of an HTML node. That change has been reverted
  and a test has been added to cover this case. [zetter - Bump mocha from 1.3.0 to 1.5.0 #177]177

4.6.3 (2018-03-19)

• CVE-2018-3740: Fixed an HTML injection vulnerability that could allow
  XSS.

  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2, a
  specially crafted HTML fragment can cause libxml2 to generate improperly
  escaped output, allowing non-whitelisted attributes to be used on whitelisted
  elements.

  Sanitize now performs additional escaping on affected attributes to prevent
  this.

  Many thanks to the Shopify Application Security Team for responsibly reporting
  this issue.

4.6.2 (2018-03-19)

• Reduced string allocations to optimize memory usage. [janklimo - Bump webpacker from 3.2.2 to 3.4.3 #175]175

4.6.1 (2018-03-15)

• Added support for frozen string literals in Ruby 2.4+.
  [flavorjones - [Security] Bump loofah from 2.2.0 to 2.2.2 #174]174

Commits

• acc7e64 chore: Release 4.6.4
• 71d84a8 Remove optimization to get back the previous behaviour of transformers
• f5a2686 chore: Add CVE id to history for 4.6.3
• 5f66eb1 chore: Release 4.6.3
• 01629a1 fix: Prevent code injection due to improper escaping in libxml2 >= 2.9.2
• 0eee92e chore: Release 4.6.2
• caa558a Optimize memory usage
• 184709b chore: Release 4.6.1
• 5ab3d0d Merge branch 'flavorjones-flavorjones-frozen-string-support'
• 823a3f6 support ruby 2.4+ frozen string literals
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If you'd like to skip this version, you can just close this PR. If you have any feedback just mention @dependabot in the comments below.