Fix sanitizer vendor config with 7.1 defaults

rails-html-santizer is a dependency of Action View and a transitive
dependency of Action Text (via Action Pack), but may not be loaded
until after railties sets configuration defaults.

This change `require`s rails-html-sanitizer immediately before it's
needed, and avoids the possibly-incorrect assumption that
Rails::HTML::Sanitizer is already defined.

Closes rails#51246

Co-authored-by: Rafael Mendonça França <[email protected]>

Author: flavorjones

railties/CHANGELOG.md

@@ -1,3 +1,10 @@
+*   Fix sanitizer vendor configuration in 7.1 defaults.
+
+    In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up
+    being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer.
+
+    *Mike Dalessio*, *Rafael Mendonça França*
+
 *   Set `action_mailer.default_url_options` values in `development` and `test`.
 
     Prior to this commit, new Rails applications would raise `ActionView::Template::Error`

railties/lib/rails/application/configuration.rb

@@ -310,14 +310,14 @@ def load_defaults(target_version)
             active_support.raise_on_invalid_cache_expiration_time = true
           end
 
-          if defined?(Rails::HTML::Sanitizer) # nested ifs to avoid linter errors
-            if respond_to?(:action_view)
-              action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_view)
+            require "rails-html-sanitizer"
+            action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+          end
 
-            if respond_to?(:action_text)
-              action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_text)
+            require "rails-html-sanitizer"
+            action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
           end
         when "7.2"
           load_defaults "7.1"