Ensure MarkupHelper#link_to_html cannot accept unsanitized input
MarkupHelper has methods that are only safe to call with sanitized input, but has no way of enforcing that.
Additionally it does things like
node.text that unescape dangerous HTML, but then immediately hands it to
link_to which re-escapes it. There is a risk that refactoring the method as is could cause it to become unsafe.
Follow up issue from discussion at !18014 (comment 236395084)
We could move it to a private method on a class to avoid the chance of the useful sounding
link_to_html being called elsewhere and doing damage.
Alternatively we could return a special object when sanitizing input for this method, and ensure that
link_to_html only processes that type of object rather than raw strings.