🚨 [security] Update loofah: 2.2.2 → 2.2.3 (patch)

[depfu]

---

🚨 Your version of loofah has known security vulnerabilities 🚨

Advisory: CVE-2018-16468
Disclosed: October 30, 2018
URL: https://github.com/flavorjones/loofah/issues/154

Loofah XSS Vulnerability

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

We've updated a dependency and here is what you need to know:

name	version specification	old version	new version
loofah	indirect dependency	2.2.2	2.2.3

You should probably take a good look at the info here and the test results before merging this pull request, of course.

What changed?

↗️ loofah (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 5 commits:

• version bump to v2.2.3 and update CHANGELOG
• remove the svg animate attribute `from` from the allowlist
• add formatting to CHANGELOG
• updated mailing list to a new Google Group
• extract msword html data into an asset file

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #44.