Bump rails-html-sanitizer from 1.4.3 to 1.5.0 (#480)

Bumps
[rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer)
from 1.4.3 to 1.5.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's
releases</a>.</em></p>
<blockquote>
<h2>1.5.0 / 2023-01-20</h2>
<ul>
<li>
<p><code>SafeListSanitizer</code>, <code>PermitScrubber</code>, and
<code>TargetScrubber</code> now all support pruning of unsafe tags.</p>
<p>By default, unsafe tags are still stripped, but this behavior can be
changed to prune the element
and its children from the document by passing <code>prune: true</code>
to any of these classes' constructors.</p>
<p><em><a
href="https://github.com/seyerian"><code>@​seyerian</code></a></em></p>
</li>
</ul>
<h2>1.4.4 / 2022-12-13</h2>
<ul>
<li>
<p>Address inefficient regular expression complexity with certain
configurations of Rails::Html::Sanitizer.</p>
<p>Fixes CVE-2022-23517. See <a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w">GHSA-5x79-w82f-gw8w</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Address improper sanitization of data URIs.</p>
<p>Fixes CVE-2022-23518 and <a
href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/135">#135</a>.
See <a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m">GHSA-mcvf-2q2m-x72m</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.</p>
<p>Fixes CVE-2022-23520. See <a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8">GHSA-rrfc-7g8p-99q8</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.</p>
<p>Fixes CVE-2022-23519. See <a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h">GHSA-9h9g-93gc-623h</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails-html-sanitizer/blob/master/CHANGELOG.md">rails-html-sanitizer's
changelog</a>.</em></p>
<blockquote>
<h2>1.5.0 / 2023-01-20</h2>
<ul>
<li>
<p><code>SafeListSanitizer</code>, <code>PermitScrubber</code>, and
<code>TargetScrubber</code> now all support pruning of unsafe tags.</p>
<p>By default, unsafe tags are still stripped, but this behavior can be
changed to prune the element
and its children from the document by passing <code>prune: true</code>
to any of these classes' constructors.</p>
<p><em>seyerian</em></p>
</li>
</ul>
<h2>1.4.4 / 2022-12-13</h2>
<ul>
<li>
<p>Address inefficient regular expression complexity with certain
configurations of Rails::Html::Sanitizer.</p>
<p>Fixes CVE-2022-23517. See
<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w">GHSA-5x79-w82f-gw8w</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Address improper sanitization of data URIs.</p>
<p>Fixes CVE-2022-23518 and <a
href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/135">#135</a>.
See
<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m">GHSA-mcvf-2q2m-x72m</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.</p>
<p>Fixes CVE-2022-23520. See
<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8">GHSA-rrfc-7g8p-99q8</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Address possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.</p>
<p>Fixes CVE-2022-23519. See
<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h">GHSA-9h9g-93gc-623h</a>
for more information.</p>
<p><em>Mike Dalessio</em></p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/a337ec8a348b15a5ae52c5698cbf38dbc50bf34d"><code>a337ec8</code></a>
version bump to v1.5.0</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/459f1cdf32adbd6e17d65505e416d168fab212bc"><code>459f1cd</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/149">#149</a>
from kyoshidajp/update-checkout-v3</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/23ac131774ea28aea192576d83d88d9efda64f5d"><code>23ac131</code></a>
Bump actions/checkout from 2 to 3</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/79bc10bc0cb07624c43a66899f16385b7dab4f76"><code>79bc10b</code></a>
Merge pull request <a
href="https://github-redirect.dependabot.com/rails/rails-html-sanitizer/issues/147">#147</a>
from rails/flavorjones-port-1.4.4-changes</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/9ef5975c969949750806cd684ce719ad6d6a08cf"><code>9ef5975</code></a>
dev: set version to 1.5.0.dev</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/e31343f01c6e2a08c8f35bfd531792a3c1786c92"><code>e31343f</code></a>
doc: changelog entry for 1.4.4</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/e8cbe25634fc7455b80a5f8569b82e5c93dd580c"><code>e8cbe25</code></a>
dep: bump dependency on loofah</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/373fc6295918c4b0aad02111e869f4e0c6fc788b"><code>373fc62</code></a>
fix: escape CDATA nodes using Loofah's escaping methods</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/68ccf7e1dbaa425cc4a8651d5f583e754ef5061c"><code>68ccf7e</code></a>
revert 45a5c10</li>
<li><a
href="https://github.com/rails/rails-html-sanitizer/commit/bb6dfcbaaf9c5c8c4f77555557693c08d4d4ab48"><code>bb6dfcb</code></a>
fix: use Loofah's scrub_uri_attribute method</li>
<li>Additional commits viewable in <a
href="https://github.com/rails/rails-html-sanitizer/compare/v1.4.3...v1.5.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=rails-html-sanitizer&package-manager=bundler&previous-version=1.4.3&new-version=1.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the
default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as
the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as
the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the
default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/magicstone-dev/ecko/network/alerts).

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

Gemfile.lock

@@ -352,7 +352,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.18.0)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -374,7 +374,7 @@ GEM
       nokogiri (~> 1)
       rake
     mini_mime (1.1.1)
-    mini_portile2 (2.8.0)
+    mini_portile2 (2.8.1)
     minitest (5.14.4)
     msgpack (1.4.2)
     multi_json (1.15.0)
@@ -461,7 +461,7 @@ GEM
     pundit (2.1.1)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
-    racc (1.6.1)
+    racc (1.6.2)
     rack (2.2.6.2)
     rack-attack (6.5.0)
       rack (>= 1.0, < 3)
@@ -499,8 +499,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.5.0)
+      loofah (~> 2.19, >= 2.19.1)
     rails-i18n (6.0.0)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 7)