For the scenario where the message format is <script>alert(':message');</script> the notification will break if there is a single quote inside the :message.
The call to htmspecialchars ensures double_encoding is disabled so it will still work if message is "Hello "World"".
For the scenario where the message format is
<script>alert(':message');</script>the notification will break if there is a single quote inside the:message.The call to
htmspecialcharsensuresdouble_encodingis disabled so it will still work if message is"Hello "World"".