[Security] Bump loofah from 2.2.3 to 2.4.0

Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.3 to 2.4.0. **This update includes a security fix.**
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.2.3...v2.4.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Author: dependabot-preview[bot]

Gemfile.lock

@@ -81,7 +81,7 @@ GEM
     concurrent-ruby (1.1.5)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.4)
+    crass (1.0.6)
     database_cleaner (1.7.0)
     debug_inspector (0.0.3)
     delayed_job (4.1.5)
@@ -129,7 +129,7 @@ GEM
       addressable (~> 2.3)
     leaflet-rails (1.0.3)
       rails (>= 4.2.0)
-    loofah (2.2.3)
+    loofah (2.4.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)