Sanitize translations instead of using _html

Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.

app/views/mailer/evaluation_comment.html.erb

@@ -9,7 +9,11 @@
   </p>
 
   <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;font-weight: normal;line-height: 24px;">
-    <%= t("mailers.evaluation_comment.new_comment_by_html", commenter: @email.comment.author.name, investment: valuation_comments_link(@email.commentable)) %>
+    <%= sanitize(t(
+      "mailers.evaluation_comment.new_comment_by",
+      commenter: @email.comment.author.name,
+      investment: valuation_comments_link(@email.commentable)
+    )) %>
   </p>
 
   <%= t("mailers.evaluation_comment.commenter_info", commenter: @email.comment.author.name, time: l(@email.comment.created_at)) %>