Merge pull request from GHSA-cfjv-5498-mph5

Prior to this commit, when a translation key indicated that the
translation text was HTML, the value returned by `I18n.translate` would
always be marked as `html_safe`.  However, the value returned by
`I18n.translate` could be an untrusted value directly from
`options[:default]`.

This commit ensures values directly from `options[:default]` are not
marked as `html_safe`.

Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>

Author: georgeclaghorn