[Security] Bump haml from 3.1.6 to 5.1.2

[dependabot-preview]

Bumps haml from 3.1.6 to 5.1.2.

Changelog

Sourced from haml's changelog.

5.1.2

Released on August 6, 2019
(diff).

• Fix crash in some environments such as New Relic by unfreezing string literals for ParseNode#inspect. #1016 (thanks Jalyna)

5.1.1

Released on May 25, 2019
(diff).

• Fix NameError bug that happens on ruby 2.6.1-2.6.3 + haml 5.1.0 + rails < 5.1 + erubi. (Akira Matsuda)

5.1.0

Released on May 16, 2019
(diff).

• Rails 6 support #1008 (thanks Seb Jacobs)
• Add escape_filter_interpolations option for backwards compatibility with haml 4 defaults #984 (thanks Will Jordan)
• Fix error on empty :javascript and :css filter blocks #986 (thanks Will Jordan)
• Respect changes in Haml::Options.defaults in Haml::TempleEngine options (Takashi Kokubun)
• Un-freeze TempleEngine precompiled string literals #983 (thanks Will Jordan)
• Various performance/memory improvements #965, #966, #963 (thanks Dillon Welch)
• Enable frozen_string_literal magic comment for all .rb files #967 (thanks Dillon Welch)

5.0.4

Released on October 13, 2017
(diff).

• Fix haml -c --stdin regression in 5.0.2. #958 (thanks Timo Göllner)
• Ruby 2.5 support (it wasn't working due to Ripper API change). (Akira Matsuda)

5.0.3

Released on September 7, 2017
(diff).

• Use String#dump instead of String#inspect to generate string literal. (Takashi Kokubun)
• Fix Erubi superclass mismatch error. #952 (thanks Robin Daugherty)

5.0.2

Released on August 1, 2017
(diff).

• Let haml -c fail if generated Ruby code is syntax error. #880 (Takashi Kokubun)
• Fix NoMethodError bug caused with Sprockets 3 and :sass filter. #930 (thanks Gonzalez Maximiliano)

... (truncated)

Commits

• 9be4e1f Version 5.1.2
• 645fcfc rails 4.2 requires bundler < 2 without bundler >= 2 being installed
• 4dbb180 Merge pull request #1016 from jalyna/fix-frozen-string-literals-on-inspect
• bc88181 Unfreeze string literals for ParseNode#inspect
• a054e2a Stop polluting toplevel unnecessarily
• 2705bbc ⛳
• c7da7a1 ruby < 1.9.3 is no longer supported
• d134875 Freeze some constants
• f7c5baa if + else = elsif
• d6c50ec This has been just an accessor since 1b784bcc50f5f437fd85b9e1a5fe147665d5a5ca
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Moderate severity vulnerability that affects haml
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

Affected versions: ["< 5.0.0"]

[dependabot-preview]

Superseded by #27.