Allow Rails html_safe for non-interpolated String literal receiver

[amatsuda]

Current Rails/OutputSafety cop seems to be always warning any kinds of html_safe method call as possibly insecure code.

But in fact, html_safe is not such a dangerous thing. It's a part of Rails core API, and it's not something that is discouraged to use that way. It can just be a security risk only when the string could contain random user input values.

Actually, the document of this cop indicates the following code as a "good" code, so I guess this is just an implementation bug. https://github.com/rubocop-hq/rubocop/blob/a5abbde/manual/cops_rails.md#examples-27

out = "<h1>trusted content</h1>".html_safe

And so attached is a patch that allows html_safe call on non-interpolated string literals, just as documented.

---

• Wrote [good commit messages][1].
• Feature branch is up-to-date with master (if not - rebase it).
• Squashed related commits together.
• Added tests.
• Added an entry to the Changelog if the new code introduces user-observable changes. See changelog entry format.
• The PR relates to only one subject with a clear title
  and description in grammatically correct, complete sentences.
• Run bundle exec rake default. It executes all tests and RuboCop for itself, and generates the documentation.

[bbatsov]

Thanks for working on this, @amatsuda! I really appreciate it! 🙇