Ensure MarkupHelper#link_to_html cannot accept unsanitized input

Problem

MarkupHelper has methods that are only safe to call with sanitized input, but has no way of enforcing that.

Additionally it does things like node.text that unescape dangerous HTML, but then immediately hands it to link_to which re-escapes it. There is a risk that refactoring the method as is could cause it to become unsafe.

Follow up issue from discussion at !18014 (comment 236395084)

Solution

We could move it to a private method on a class to avoid the chance of the useful sounding link_to_html being called elsewhere and doing damage.

Alternatively we could return a special object when sanitizing input for this method, and ensure that link_to_html only processes that type of object rather than raw strings.