[BUGFIX release] Ember.String.htmlSafe() should return a instance of SafeString for null / undefined

[tricknotes]

Currently, Ember.String.htmlSafe() returns a just String, not HTML Safe.
We expect it is a safe string.

I think this behavior has no problem in the most of case, but it shows warning when it is bound to style property.

---

For example:

App = Ember.Application.create();

App.Router.map(function() {
});

App.IndexController = Ember.Controller.extend({
  style: Ember.computed(function() {
    return Ember.String.htmlSafe(
      /* Some property will be given, but it may be `null` or `undefined`. */
    );
  })
});

{{! index.hbs}}
<span style={{style}}>Hi, Tomster!</span>

http://emberjs.jsbin.com/ficesumeju/2

The above code shows the following warning:

WARNING: Binding style attributes may introduce cross-site scripting vulnerabilities; please ensure that values being bound are properly escaped. For more information, including how to disable this warning, see http://emberjs.com/deprecations/v1.x/#toc_binding-style-attributes.

[stefanpenner]

LGTM – this explains some of the phantom warnings we have been seeing.

[rwjblue]

Thank you!