[Security] Bump loofah from 2.1.1 to 2.2.2

[dependabot-preview]

Bumps loofah from 2.1.1 to 2.2.2. This update includes security fixes.

Vulnerabilities fixed

Loofah XSS Vulnerability
Loofah allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments.

Patched versions: [">= 2.2.1"]
Unaffected versions: []

Release notes

Sourced from loofah's releases.

v2.2.2

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

Changelog

Sourced from loofah's changelog.

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.

2.2.1 / 2018-03-19

Addresses CVE-2018-8048. Loofah allowed non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

This CVE's public notice is at https://github-redirect.dependabot.com/flavorjones/loofah/issues/144

2.2.0 / 2018-02-11

Features:

• Support HTML5 <main> tag. #133 (Thanks, MothOnMars!)
• Recognize HTML5 block elements. #136 (Thanks, MothOnMars!)
• Support SVG <symbol> tag. #131 (Thanks, baopham!)
• Support for whitelisting CSS functions, initially just calc and rgb. Make sure graphs start at zero #122/Make date formats clearer #123/Fix fonts in IE #129 (Thanks, NikoRoberts!)
• Whitelist CSS property list-style-type. Get a better name #68/Handle pie-chart colours #137/Fit a single-number metric in a dashboard box #142 (Thanks, andela-ysanni and NikoRoberts!)

Bugfixes:

• Properly handle nested script tags. #127.

Commits

• 37af4ee version bump to 2.2.2
• 56e95a6 Make public force_correct_attribute_escaping!
• 9452bff use VersionInfo.instance
• 7541374 version bump to 2.2.1
• 70bd089 update Manifest.txt and CHANGELOG.md
• 332ec6a Merge branch 'flavorjones-remediate-attribute-escaping'
• f739cf8 tests and fix for CVE-2018-8048
• 0c97c74 SECURITY.md to publish vuln reporting process
• d64b74d bump the fake gemspec
• 08cc110 fix remaining rdoc format in README
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot ignore this [minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use [this|these] label[s] will set the current labels as the default for future PRs for this repo and language

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Out-of-range updates (receive only lockfile updates, if desired)

Finally, you can contact us by mentioning @dependabot.