Html::transformRootRelativeUrlsToAbsolute() replaces "\r\n" with "
\n"

Nice edge case!

+++ b/core/tests/Drupal/Tests/Component/Utility/HtmlTest.php
@@ -387,6 +387,8 @@ public function providerTestTransformRootRelativeUrlsToAbsolute() {
+    $data['html without links'] = ["Test without links but with\r\nsome special characters", 'http://example.com', FALSE];

Could you also add a test case that already contains 
 in the original HTML? 🤓🙏

Thanks @fjgarlin tested manually and works great!

One potential edge case: we are using $placeholder = uniqid();
For a mail, it is not uncommon to generate tokens, it is very unlikely that we could have uniquid matching the substring of a token, but that could theoretically happen, so perhaps we could use a safeguard value (e.g. use a prefix as the first uniquid parameter).
What do you think?

Nice! re-tested manually, setting as RTBC

Note there are some edge cases where this would have side effects on markup. For example, if the string has just "\r" as whitespace in a tag, that whitespace gets replaced with uniqid, DOMDocument doesn't see any whitespace separating element from attributes, and you end up with attribute values being lost and a weird closing tag added to try to fix the markup. In addition, carriage returns are added back to the output after DOMDocument has cleaned up extra whitespace from tags.

I think calling saveHTML() in Html::serialize() would prevent the 
 from being added - I can't remember why saveXML() is used instead

Right, we cannot simply use DOMDocument::saveHTML(), but eventually perhaps things can be refactored to make it possible; here are two related issues: #1333730: [Meta] PHP DOM (libxml2) misinterprets HTML5 and #3216912: Html::serialize adds unwanted/duplicate xml:* attributes

And here's an additional test case to illustrate potential issue. It's easier to see the output using phpunit --testdox:
Given <a⟵href='/node'>My·link</a>, output is <a⟵href>My·link</a⟵href> rather than <a·href="http://example.com/node">My·link</a>

DOMDocument does some normalizing of elements, e.g. a newline inside a tag is converted to a space.

The main thing I was trying to point out is how in this edge case (specifically chosen to break this patch), the value of the href attribute is totally lost, and a spurious href attribute is added to the closing tag.

I would recommend str_replace(["\r\n", "\r"], "\n", $html)

This will replace the common CR-LF sequence with LF, then it will also replace any lone CR with LF.

I think it makes sense to just get rid of all CR as DOMDocument::saveXML() doesn't handle them correctly, for HTML purposes, when they are found in text nodes

To further clarify on why get rid of CR, 
 is valid in XML so that's why saveXML() outputs it, but is considered invalid in HTML - the W3C HTML validation error is "A numeric character reference expanded to carriage return." There are some arcane HTML rules about which numeric character entities are allowed

Addressed the comment #30
Attached patch against Drupal 10.1.x

The comment seems a little vague, howabout something like PHP's \DOMDocument::saveXML() encodes carriage returns as 
 so normalize all newlines to line feeds.

I'm also adding a duplicate related issue: #2975602: Html::serialize() escapes \r to 

LGTM.

I updated the release notes snippet to better describe the consequences of this change, which will affect some core and contrib filters as well as the transformRootRelativeUrlsToAbsolute() method.

Discussed with @longwave who pointed out that someone somewhere might be relying on the behaviour. It'm not sure that that should prevent use from making the change but it does mean we should have a CR.

@fjgarlin I fixed up the CR to have before and after - that always helps on a CR.

The change record looks good to me.

Good find and the fix seems sensible. Committed to 10.1.x and published the CR. Note that I did not backport it on account of #39. Thanks!