Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.

Use that method in the tag helpers of ActionView::Helpers. Add a deprecation
warning to the option :escape_attributes mentioning the new behavior and the
transition to :escape, to simplify by applying the option to the whole tag.

[CVE-2022-27777]

Generate content security policy for non-HTML responses

ImageProcessingTransformer now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.

[CVE-2022-21831]

This is a follow up to [CVE-2022-23633].

Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request.

[CVE-2022-23633]

Allow IPs with port in the HostAuthorization middleware

Allow any allowed host with port

Allow localhost with a port by default in development

Add support for YubiKey OTP codes during release

Prior to this commit, it was possible to pass an unvalidated host
through the `X-Forwarded-Host` header. If the value of the header
was prefixed with a invalid domain character (for example a `/`),
it was always accepted as the actual host of that request.

Since this host is used for all url helpers, an attacker could change
generated links and redirects. If the header is set to
`X-Forwarded-Host: //evil.hacker`, a redirect will be send to
`https:////evil.hacker/`. Browsers will ignore these four slashes
and redirect the user.

[CVE-2021-44528]

Follow-up to 83a6ac3f.

This allows `HTTP_HOST` to be omitted as before, and reduces the number
of object allocations per request.

Benchmark:

```ruby
 # frozen_string_literal: true
require "benchmark/memory"

HOST = "example.com:80"
BEFORE_REGEXP = /\A(?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(:\d+)?\z/
AFTER_REGEXP = /(?:\A|,[ ]?)([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\])(?::\d+)?\z/i

Benchmark.memory do |x|
  x.report("BEFORE (non-nil X-Forwarded-Host)") do
    origin_host = BEFORE_REGEXP.match(HOST.to_s.downcase)[:host]
    forwarded_host = BEFORE_REGEXP.match(HOST.to_s.split(/,\s?/).last)[:host]
  end

  x.report("BEFORE (nil X-Forwarded-Host)") do
    origin_host = BEFORE_REGEXP.match(HOST.to_s.downcase)[:host]
    forwarded_host = BEFORE_REGEXP.match(nil.to_s.split(/,\s?/).last)
  end

  x.report("AFTER (non-nil X-Forwarded-Host)") do
    origin_host = HOST&.slice(AFTER_REGEXP, 1) || ""
    forwarded_host = HOST&.slice(AFTER_REGEXP, 1) || ""
  end

  x.report("AFTER (nil X-Forwarded-Host)") do
    origin_host = HOST&.slice(AFTER_REGEXP, 1) || ""
    forwarded_host = nil&.slice(AFTER_REGEXP, 1) || ""
  end
end
```

Results:

```
BEFORE (non-nil X-Forwarded-Host)
                       616.000  memsize (   208.000  retained)
                         9.000  objects (     2.000  retained)
                         2.000  strings (     1.000  retained)
BEFORE (nil X-Forwarded-Host)
                       328.000  memsize (     0.000  retained)
                         5.000  objects (     0.000  retained)
                         2.000  strings (     0.000  retained)
AFTER (non-nil X-Forwarded-Host)
                       248.000  memsize (   168.000  retained)
                         3.000  objects (     1.000  retained)
                         1.000  strings (     0.000  retained)
AFTER (nil X-Forwarded-Host)
                        40.000  memsize (     0.000  retained)
                         1.000  objects (     0.000  retained)
                         1.000  strings (     0.000  retained)
```

[CVE-2021-22942]

Fix invalid statement template compile error

Address CI failure due to non-determined sort order

Add net-smtp and matrix to the Gemfile to fix the ruby-head build

[CVE-2021-22903]

* 6-0-sec:
  Preparing for 6.0.3.7 release
  update changelog
  Prevent slow regex when parsing host authorization header
  Prevent string polymorphic route arguments
  Prevent catastrophic backtracking during mime parsing

The old regex could take too long when parsing an authorization header,
and this could potentially cause a DoS vulnerability

[CVE-2021-22904]

url_for supports building polymorphic URLs via an array
of arguments (usually symbols and records). If an array is passed,
strings can result in unwanted route helper calls.

CVE-2021-22885

The regular expression used to parse the mime type can results in
catastrophic backtracking[1] allowing for a ReDOS attack[2].

This commit uses atomic grouping[3] to prevent backtracking.

1. https://www.regular-expressions.info/catastrophic.html
2. https://en.wikipedia.org/wiki/ReDoS
3. https://www.regular-expressions.info/atomic.html

[CVE-2021-22902]