Merge branch 'security-fj-bumping-sanitize-gem' into 'master'

[master] Update sanitize gem to 4.6.5 to fix HTML injection vulnerability

See merge request gitlab/gitlabhq!2399

1 files changed, 8 insertions, 4 deletions

diff --git a/Gemfile.rails5.lock b/Gemfile.rails5.lock
index 679318b9be5..52388f17c7c 100644
--- a/Gemfile.rails5.lock
+++ b/Gemfile.rails5.lock
@@ -298,13 +298,13 @@ GEM
       flowdock (~> 0.7)
       gitlab-grit (>= 2.4.1)
       multi_json
-    gitlab-gollum-lib (4.2.7.4)
+    gitlab-gollum-lib (4.2.7.5)
       gemojione (~> 3.2)
       github-markup (~> 1.6)
       gollum-grit_adapter (~> 1.0)
       nokogiri (>= 1.6.1, < 2.0)
       rouge (~> 3.1)
-      sanitize (~> 2.1)
+      sanitize (~> 4.6.4)
       stringex (~> 2.6)
     gitlab-gollum-rugged_adapter (0.4.4.1)
       mime-types (>= 1.15)
@@ -518,6 +518,8 @@ GEM
     nio4r (2.3.1)
     nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
+    nokogumbo (1.5.0)
+      nokogiri
     numerizer (0.1.1)
     oauth (0.5.4)
     oauth2 (1.4.0)
@@ -813,8 +815,10 @@ GEM
       et-orbi (~> 1.0)
     rugged (0.27.1)
     safe_yaml (1.0.4)
-    sanitize (2.1.0)
+    sanitize (4.6.5)
+      crass (~> 1.0.2)
       nokogiri (>= 1.4.4)
+      nokogumbo (~> 1.4)
     sass (3.5.5)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
@@ -1162,7 +1166,7 @@ DEPENDENCIES
   ruby_parser (~> 3.8)
   rufus-scheduler (~> 3.4)
   rugged (~> 0.27)
-  sanitize (~> 2.0)
+  sanitize (~> 4.6.5)
   sass-rails (~> 5.0.6)
   scss_lint (~> 0.56.0)
   seed-fu (~> 2.3.7)