Redmine

The latest version of html-pipeline is 3.2.3. Redmine still uses version 2.14.3, which was released in October 2022.
In version 3, html-pipeline replaces Nokogiri with Selma (a Ruby binding for Cloudflare’s lol-html) as its internal HTML parser. As a result, upgrading to version 3 would require rewrites of existing filters, due to major API differences.

ActionPack already incorporates loofah, which provides a filtering feature similar to that of html-pipeline. Adapting filters from html-pipeline 2 to Loofah’s scrubber feature is expected to be relatively straightforward, since both libraries are based on Nokogiri and share similar APIs. Migrating to loofah instead of upgrading html-pipeline helps avoid the complexity of having two different HTML parsers (Nokogiri and Selma) in the same application.

For HTML sanitization, we will continue to use the sanitize gem instead of Rails' built-in rails-html-sanitizer, as it offers greater flexibility and aligns with the defaults previously used by html-pipeline 2.
Additionally, since html-pipeline 2 uses Nokogiri’s HTML4 parser internally, and the Rails team recommends HTML5 parsing , this update also includes a transition to an HTML5-compatible parser.

The patch can be applied to r23780