[Security] Bump loofah from 2.2.3 to 2.7.0

[dependabot-preview]

Bumps loofah from 2.2.3 to 2.7.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Patched versions: >= 2.3.1 Unaffected versions: none

Release notes

Sourced from loofah's releases.

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 / 2020-06-16

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

Changelog

Sourced from loofah's changelog.

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 / 2020-06-16

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width [#175] (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. [#118]

2.3.1 / 2019-10-22

Security

Commits

• 029a496 version bump to v2.7.0
• 490cd05 Merge pull request #190 from ahorek/page_break
• a6d1d9e update CHANGELOG
• c0f4bb8 add page-break to safelist
• 39e105c Merge pull request #192 from b7kich/maintain_shorthand_css_important_rule
• 0aba0b9 update CHANGELOG
• ea6fe90 prefer Array#<< to creating a new array
• 50931f4 scrub_css should not drop !important from shorthand css props
• 1ce8698 update json dev dependency
• e48f298 version bump to v2.6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)