[Security] Bump loofah from 2.2.3 to 2.9.1

[dependabot-preview[bot]]

Bumps loofah from 2.2.3 to 2.9.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Patched versions: >= 2.3.1 Unaffected versions: none

Release notes

Sourced from loofah's releases.

2.9.1 / 2021-04-07

Bug fixes

• Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [#202]

2.9.0 / 2021-01-14

• Handle CSS functions in a CSS shorthand property (like background). [#199, #200]

2.8.0 / 2020-11-25

• Allow CSS properties order, flex-direction, flex-grow, flex-wrap, flex-shrink, flex-flow, flex-basis, flex, justify-content, align-self, align-items, and align-content. [#197] (Thanks, @miguelperez!)

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 / 2020-06-16

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

... (truncated)

Changelog

Sourced from loofah's changelog.

2.9.1 / 2021-04-07

Bug fixes

• Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [#202]

2.9.0 / 2021-01-14

Features

• Handle CSS functions in a CSS shorthand property (like background). [#199, #200]

2.8.0 / 2020-11-25

Features

• Allow CSS properties order, flex-direction, flex-grow, flex-wrap, flex-shrink, flex-flow, flex-basis, flex, justify-content, align-self, align-items, and align-content. [#197] (Thanks, @miguelperez!)

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 / 2020-06-16

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

... (truncated)

Commits

• 4a6be02 version bump to v2.9.1
• bbde91a Merge pull request #203 from flavorjones/202-property-string-values
• 1565bfe fix: allow CSS properties to have quoted string values
• cc5ce1c readme: convert an old rdoc header to markdown
• 1178f68 readme: fix CI badge
• cbbb3ac dev: update default branch to main
• 07e89a5 test: extend Nokogiri decorator tests to NodeSets
• 82f0c9e ci: update ruby versions tested
• b18e3dc version bump to v2.9.0
• 8ed486d Merge pull request #200 from flavorjones/199-css-functions-not-handled-properly
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Superseded by #680.