Bump loofah from 2.0.3 to 2.5.0

[dependabot[bot]]

Bumps loofah from 2.0.3 to 2.5.0.

Release notes

Sourced from loofah's releases.

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @danfstucky!)
• Allow CSS property list-style #162 (Thanks, @jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

... (truncated)

Changelog

Sourced from loofah's changelog.

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". #178 (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. #80

Other changes

• Gem metadata being set #181 (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @danfstucky!)
• Allow CSS property list-style #162 (Thanks, @jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @andreynering!)

Bug fixes

... (truncated)

Commits

• 2595827 version bump to v2.5.0
• f47758e ci: update concourse pipelines with latest rubies
• 9aa508c bug: remove HTML comments that exist outside the html element
• 5e02888 update CHANGELOG
• d8ff5ed Merge pull request #180 from JuanitoFatas/remove-tests-from-gem
• 3133e33 Merge pull request #178 from JuanitoFatas/allow-more-css-values
• 9c39a16 Merge pull request #181 from JuanitoFatas/fix-metadata
• 6e26a30 Update URL to hash format to generate metadata
• 200df2f Revert changes to generated gemspec
• 3b02e47 Remove test files from final gem
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/danielswaine/SodburyChallenge/network/alerts).

[coveralls]

Coverage remained the same at 4.744% when pulling 147c6c3de530908876ea306326293c98a17754ff on dependabot/bundler/loofah-2.5.0 into 4c5d104b24b76c9deb35c73cc9411d04ea3920d5 on master.

[dependabot[bot]]

Superseded by #59.