Use Rails::HTML5::Sanitizer when sanitizing HTML

Since we use a version of Loofah supporting HTML5 since db2d0bb80, the
`Rails::HTML::Sanitizer.best_supported_vendor` method will return the
HTML5 sanitizer. As mentioned in the pull request introducting this
change [1], the libxml2 maintainer wrote:

> it's still a bad idea to use a 20+ years old, unmaintained HTML 4
> parser to sanitize input for the modern web

So we're going with the new default sanitizer.

Note we aren't uncommenting the `action_text.sanitizer_vendor` option
because we don't use Action Text and so it doesn't affect us , and
uncommeting it will raise an error.

Also note we need to change one test because the new sanitizer handles
whitespace slightly differently.

[1] Pull request 48293 in https://github.com/rails/rails

config/initializers/new_framework_defaults_7_1.rb

@@ -226,7 +226,7 @@ Rails.application.config.active_record.generate_secure_token_on = :initialize
 #
 # In previous versions of Rails, Action View always used `Rails::HTML4::Sanitizer` as its vendor.
 #++
-# Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
 
 
 ###

spec/models/legislation/draft_version_spec.rb

@@ -135,16 +135,14 @@ describe Legislation::DraftVersion do
 
       <p>Something about this.</p>
 
-      <table>
+      <table><thead>
-      <thead>
       <tr>
       <th>id</th>
       <th>name</th>
       <th>age</th>
       <th>gender</th>
       </tr>
-      </thead>
+      </thead><tbody>
-      <tbody>
       <tr>
       <td>1</td>
       <td>Roberta</td>
@@ -157,8 +155,7 @@ describe Legislation::DraftVersion do
       <td>25</td>
       <td>F</td>
       </tr>
-      </tbody>
+      </tbody></table>
-      </table>
     BODY_HTML
   end