[Security] Bump loofah from 2.0.3 to 2.2.2

[dependabot-preview]

Bumps loofah from 2.0.3 to 2.2.2. This update includes security fixes.

Vulnerabilities fixed

Loofah XSS Vulnerability
Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.

Patched versions: [">= 2.2.1"]
Unaffected versions: []

Release notes

Sourced from loofah's releases.

v2.2.2

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

Changelog

Sourced from loofah's changelog.

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

2.2.1 / 2018-03-19

Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/144

2.2.0 / 2018-02-11

Features:

• Support HTML5 <main> tag. #133 (Thanks, MothOnMars!)
• Recognize HTML5 block elements. #136 (Thanks, MothOnMars!)
• Support SVG <symbol> tag. #131 (Thanks, baopham!)
• Support for whitelisting CSS functions, initially just calc and rgb. Bump rubocop from 4c3e7a to 09ff55 #122/Bump rubocop from 4c3e7a to 9f7c9c #123/Bump sequel from 4.29.0 to 5.4.0 #129 (Thanks, NikoRoberts!)
• Whitelist CSS property list-style-type. Bump rake from 10.4.2 to 12.2.1 #68/Bump rubocop from 4c3e7a to 707c9a #137/Bump puma from 2.15.3 to 3.11.2 #142 (Thanks, andela-ysanni and NikoRoberts!)

Bugfixes:

• Properly handle nested script tags. #127.

2.1.1 / 2017-09-24

Bugfixes:

• Removed warning for unused variable. #124 (Thanks, y-yagi!)

2.1.0 / 2017-09-24

Notes:

• Re-implemented CSS parsing and sanitization using the crass library. #91

Features:

• Added :noopener HTML scrubber (Thanks, tastycode!)
• Support data URIs with the following media types: text/plain, text/css, image/png, image/gif, image/jpeg, image/svg+xml. #101, #120. (Thanks, mrpasquini!)

... (truncated)

Commits

• 37af4ee version bump to 2.2.2
• 56e95a6 Make public force_correct_attribute_escaping!
• 9452bff use VersionInfo.instance
• 7541374 version bump to 2.2.1
• 70bd089 update Manifest.txt and CHANGELOG.md
• 332ec6a Merge branch 'flavorjones-remediate-attribute-escaping'
• f739cf8 tests and fix for CVE-2018-8048
• 0c97c74 SECURITY.md to publish vuln reporting process
• d64b74d bump the fake gemspec
• 08cc110 fix remaining rdoc format in README
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot ignore this [minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use [this|these] label[s] will set the current labels as the default for future PRs for this repo and language

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #238.