The Loofah gem recently had a vulnerability reported which could potentially expose your application to a Cross Site Scripting attack.
From https://nvd.nist.gov/vuln/detail/CVE-2018-16468 it reads
Since the Ruby on Rails framework depends on
rails-html-sanitizer and this depends on
loofah, there is a likely chance that your application is affected too.
To immediately address this issue, add this to your Gemfile.
gem 'loofah', '~> 2.2.3
bundle update loofah