loofah is vulnerable to cross-site scripting (XSS) attacks. The vulnerability can occur under specific conditions when running on MRI or RBX and while using libxml2 >= 2.9.2. It exists as the scrub_attributes
method in lib/loofah/html5/scrub.rb
failed to sanitize some non-whitelisted attributes.