Our gem rails-html-sanitizer is already using loofa ~> 2.3, and our gem bulkrax is using loofa >=2.2.3. It is unclear what is causing us to have 2.18.0 pinned in Gemfile.lock, but I suspect it may be our Rails version.
No noted breaking changes in loofa changelog from 2.18.0 to 2.19.1.
Our gem rails-html-sanitizer is already using loofa ~> 2.3, and our gem bulkrax is using loofa >=2.2.3. It is unclear what is causing us to have 2.18.0 pinned in Gemfile.lock, but I suspect it may be our Rails version.
No noted breaking changes in loofa changelog from 2.18.0 to 2.19.1.
bundler-audit messages:
Name: loofah Version: 2.18.0 CVE: CVE-2022-23515 GHSA: GHSA-228g-948r-83gx Criticality: Medium URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx Title: Improper neutralization of data URIs may allow XSS in Loofah Solution: upgrade to '>= 2.19.1'
Name: loofah Version: 2.18.0 CVE: CVE-2022-23514 GHSA: GHSA-486f-hjj9-9vhh Criticality: High URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh Title: Inefficient Regular Expression Complexity in Loofah Solution: upgrade to '>= 2.19.1'
Name: loofah Version: 2.18.0 CVE: CVE-2022-23516 GHSA: GHSA-3x8r-x6xp-q4vm Criticality: High URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm Title: Uncontrolled Recursion in Loofah Solution: upgrade to '>= 2.19.1'