update ERB::Util.html_escape_once to always return an html_safe string

[flavorjones]

Motivation / Background

This PR updates the behavior of ERB::Util.html_escape_once to always return an html_safe string.

This method previously maintained the html_safe? property of a string on the return value. Because this string has been escaped, however, not marking it as html_safe causes entities to be double-escaped.

As an example, take this view snippet:

<p><%= html_escape_once("this & that &amp; the other") %></p>

Before this change, that would be double-escaped and render as:

<p>this &amp;amp; that &amp;amp; the other</p>

After this change, it renders correctly as:

<p>this &amp; that &amp; the other</p>

Fixes #48256

Checklist

Before submitting the PR make sure the following are checked:

• This Pull Request is related to one change. Changes that are unrelated should be opened in separate PRs.
• Commit message has a detailed description of what changed and why. If this PR fixes a related issue include it in the commit message. Ex: [Fix #issue-number]
• Tests are added or updated if you fix a bug or add a feature.
• CHANGELOG files are updated for the changed libraries if there is a behavior change or additional feature. Minor bug fixes and documentation changes should not be included.

[byroot]

That just make sense. html_escape returns a safe string, html_escape_once should be consistent with it.