Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.

app/views/documents/_nested_documents.html.erb

@@ -18,6 +18,6 @@
                               } %>
 
   <div id="max-documents-notice" class="max-documents-notice callout primary text-center <%= "hide" unless max_documents_allowed?(documentable) %>">
-    <%= t "documents.max_documents_allowed_reached_html" %>
+    <%= sanitize(t("documents.max_documents_allowed_reached")) %>
   </div>
 </div>