Fix sanitizer vendor config with 7.1 defaults

rails-html-santizer is a dependency of Action View and a transitive
dependency of Action Text (via Action Pack), but may not be loaded
until after railties sets configuration defaults.

This change `require`s rails-html-sanitizer immediately before it's
needed, and avoids the possibly-incorrect assumption that
Rails::HTML::Sanitizer is already defined.

Closes #51246

Co-authored-by: Rafael Mendonça França <rafael@rubyonrails.org>

railties/CHANGELOG.md

@@ -1,3 +1,10 @@
+*   Fix sanitizer vendor configuration in 7.1 defaults.
+
+    In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up
+    being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer.
+
+    *Mike Dalessio*, *Rafael Mendonça França*
+
 *   Setup jemalloc in the default Dockerfile for memory optimization.
 
     *Matt Almeida*, *Jean Boussier*

railties/lib/rails/application/configuration.rb

@@ -312,14 +312,14 @@ def load_defaults(target_version)
             active_support.raise_on_invalid_cache_expiration_time = true
           end
 
-          if defined?(Rails::HTML::Sanitizer) # nested ifs to avoid linter errors
-            if respond_to?(:action_view)
-              action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_view)
+            require "rails-html-sanitizer"
+            action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+          end
 
-            if respond_to?(:action_text)
-              action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_text)
+            require "rails-html-sanitizer"
+            action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
           end
         when "7.2"
           load_defaults "7.1"