Upgrade loofah to >= 2.2.1 to prevent potential XSS vulnerability caused by libxml2 (CVE-2018-8048)

upstream loofah released a new version to mitigate this recently. Currently, we don't depend directly on loofah, it gets pulled in via rails-html-sanitizer and i18n. Not sure what's the way forward here (e.g. depending directly on it, or pushing the upstreams of r-h-s and i18n), but, FWIW, I've just sent a mail to rails-html-sanitizer upstream, as this new version is breaking two tests, asking for input.