In Psych >= 4.0.0, load defaults to safe_load. This commit
makes the ActiveRecord::Coders::YAMLColum class use Psych safe_load
as the Rails default.

This default is configurable via ActiveRecord::Base.use_yaml_unsafe_load

We conditionally fallback to the correct unsafe load if use_yaml_unsafe_load
is set to true. unsafe_load was introduced in Psych >= 4.0.0

The list of safe_load permitted classes is configurable via
ActiveRecord::Base.yaml_column_permitted_classes

[CVE-2022-32224]

Fix tag helper regression

retain Ruby 2.2 compatibility for Rails 5.2

ActionView::Helpers::TagHelper - use `<<-MSG` style heredoc to retain Ruby 2.2 compatibility

Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]

Fix 5-2-stable for CI

I think this changed with a version of minitest, update it to get the
tests passing for CI.

Manual backport of 9495a340

This test is throwing a 404 for the URI it's trying to open. The
callback is already deprecated in this PR and removed in future versions
so IMO it's safe to remove this test for a green CI.

Use the single line editor in console test

The newer version of minitest throws Ruby 3.x warnings. Lock minitest to
keep the version on one that passes on 2.7+

I changed this in the Gemfile instead of the gemspec because I don't
want apps to be blocked from using a newer version if it works fine with
5.2 even though 5.2 is almost EOL.

Make `LoadInterlockAwareMonitor` work in Ruby 2.7

The newest version of que requires changes to Rails to avoid a circular
warning and updates to the code to support updated options. Since Rails
5.2 is not supported for bug fixes and definitely not new features I've
decided not to fix this to support newer versions of que. Applications
should upgrade to Rails 7.0 instead.

Generate content security policy for non-HTML responses

Since those two constants were being defined inside the `app` folder,
they were being defined before the configuration was set in the
`after_initialize` block.

With this new implmentation we always use the configuration value, so
the order things are defined doesn't matter.

* 5-2-sec:
  Preparing for 5.2.6.3 release
  bumping version
  Added image transformation validation via configurable allow-list.

Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.

[CVE-2022-21831]

Restore ruby-2.2 compatibility for 5-2-stable

* 5-2-sec:
  Preparing for 5.2.6.2 release
  Preparing release
  Fix reloader to work with new Executor signature

This is a follow up to [CVE-2022-23633].

* 5-2-sec:
  Merge pull request #43863 from rails/yubikey-support
  Preparing for 5.2.6.1 release
  Preparing for release
  ActionDispatch::Executor don't fully trust `body#close`

Add support for YubiKey OTP codes during release

Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request.

[CVE-2022-23633]

Update URLs for the blog