diff --git a/Gemfile b/Gemfile
index 2bd6acede79f03d9ef95a36ccd34e2b726d24118..149ae1fac0dc6bf43b412ea36977d6d12281b704 100644
--- a/Gemfile
+++ b/Gemfile
@@ -231,7 +231,7 @@ gem 'sanitize', '~> 2.0'
 gem 'babosa', '~> 1.0.2'
 
 # Sanitizes SVG input
-gem 'loofah', '~> 2.0.3'
+gem 'loofah', '~> 2.2'
 
 # Working with license
 gem 'licensee', '~> 8.9'
diff --git a/Gemfile.lock b/Gemfile.lock
index aed9f1d6b30bb3e82f7092226ceda6957f596d88..a92843f32d871b7151db77dbac035516c525165b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -143,6 +143,7 @@ GEM
     connection_pool (2.2.1)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
+    crass (1.0.3)
     creole (0.5.0)
     css_parser (1.5.0)
       addressable
@@ -485,7 +486,8 @@ GEM
       actionpack (>= 4, < 5.2)
       activesupport (>= 4, < 5.2)
       railties (>= 4, < 5.2)
-    loofah (2.0.3)
+    loofah (2.2.2)
+      crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.0)
       mini_mime (>= 0.1.1)
@@ -679,8 +681,8 @@ GEM
       activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     rails-i18n (4.0.9)
       i18n (~> 0.7)
       railties (~> 4.0)
@@ -1093,7 +1095,7 @@ DEPENDENCIES
   license_finder (~> 3.1)
   licensee (~> 8.9)
   lograge (~> 0.5)
-  loofah (~> 2.0.3)
+  loofah (~> 2.2)
   mail_room (~> 0.9.1)
   method_source (~> 0.8)
   minitest (~> 5.7.0)
diff --git a/changelogs/unreleased/sh-update-loofah.yml b/changelogs/unreleased/sh-update-loofah.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6aff0f91939b0d21e595b57d361bdfcb39b186f5
--- /dev/null
+++ b/changelogs/unreleased/sh-update-loofah.yml
@@ -0,0 +1,5 @@
+---
+title: Bump rails-html-sanitizer to 1.0.4
+merge_request:
+author:
+type: security