[Security] Bump loofah from 2.2.3 to 2.7.0 in /backend

[dependabot-preview[bot]]

Bumps loofah from 2.2.3 to 2.7.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Loofah XSS Vulnerability In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Patched versions: >= 2.3.1 Unaffected versions: none

Release notes

Sourced from loofah's releases.

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 / 2020-06-16

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

Changelog

Sourced from loofah's changelog.

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

2.6.0 / 2020-06-16

Features

• Allow CSS border-style keywords. [#188] (Thanks, @tarcisiozf!)

2.5.0 / 2020-04-05

Features

• Allow more CSS length units: "ch", "vw", "vh", "Q", "lh", "vmin", "vmax". [#178] (Thanks, @JuanitoFatas!)

Fixes

• Remove comments from Loofah::HTML::Documents that exist outside the html element. [#80]

Other changes

• Gem metadata being set [#181] (Thanks, @JuanitoFatas!)
• Test files removed from gem file [#180,#166,#159] (Thanks, @JuanitoFatas and @greysteil!)

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width [#175] (Thanks, @bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. [#118]

2.3.1 / 2019-10-22

Security

Commits

• 029a496 version bump to v2.7.0
• 490cd05 Merge pull request #190 from ahorek/page_break
• a6d1d9e update CHANGELOG
• c0f4bb8 add page-break to safelist
• 39e105c Merge pull request #192 from b7kich/maintain_shorthand_css_important_rule
• 0aba0b9 update CHANGELOG
• ea6fe90 prefer Array#<< to creating a new array
• 50931f4 scrub_css should not drop !important from shorthand css props
• 1ce8698 update json dev dependency
• e48f298 version bump to v2.6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Superseded by #1439.