[Security] Bump nokogiri from 1.8.2 to 1.8.4

[greysteil]

Bumps nokogiri from 1.8.2 to 1.8.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Revert libxml2 behavior in Nokogiri gem that could cause XSS
[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact
here:

https://github-redirect.dependabot.com/flavorjones/loofah/issues/144

This release simply reverts the libxml2 commit in question to protect
users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you
comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

Patched versions: >= 1.8.3
Unaffected versions: none

Changelog

Sourced from nokogiri's changelog.

1.8.4 / 2018-07-03

Bug fixes

• [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [Angular attachments #1771]

1.8.3 / 2018-06-16

Security Notes

[MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact here:

https://github-redirect.dependabot.com/flavorjones/loofah/issues/144

This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

Dependencies

• [MRI] libxml2 is updated from 2.9.7 to 2.9.8

Features

• Node#classes, #add_class, #append_class, and #remove_class are added.
• NodeSet#append_class is added.
• NodeSet#remove_attribute is a new alias for NodeSet#remove_attr.
• NodeSet#each now returns an Enumerator when no block is passed (Thanks, park53kr!)
• [JRuby] General improvements in JRuby implementation (Thanks, kares!)

Bug fixes

• CSS attribute selectors now gracefully handle queries using integers. [Privacy page layout is screwy #711]
• Handle ASCII-8BIT encoding on fragment input [Cannot open notifications in new tab #553]
• Handle non-string return values within Reader [Scope pie js to search page #898]
• [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [Language selector not showing #1666]
• [JRuby] Stability and speed improvements to Node, Sax::PushParser, and the JRuby implementation [Google not displaying Loomio site info in search results due to robots.txt file.  #1708, #1710, #1501]

Commits

• 254f341 version bump to v1.8.4
• 056f66d enforcing formatting in xml_node.c
• ca4f9b2 Merge branch '1771-memory-leak'
• 0d26561 fix memory leak with creating nodes with a namespace
• 117ca2e README format
• 20e11c3 version bump to 1.8.3
• be8a240 update CHANGELOG
• 06ac6ba Merge branch '1765-enumerator'
• 00bafb7 add test coverage for NodeSet#each enum
• 75517e0 '#each' returns enumerator when no block given
• Additional commits viewable in compare view

More generally, would you be up for using Dependabot on Loomio? It's totally free for open source and always will be - I'm just trying to get more people using it because:

1. I think it will save you time and help keep Loomio secure
2. Having more users gives more data for Dependabot's compatibility scores, so they get rock solid

Would love you to give it a try!

[robguthrie]

Thanks!