[Security] intlMessage doesn't escape/encode the output

In https://github.com/linkedin/dustjs/wiki/Dust-Tutorial mentions

...
All output values are escaped to avoid Cross Site Scripting (XSS) unless you use filters:
...

Try it with strings.json

"ZRP_MSG": "We did not find results for <span class='Fw-b query'>{query}</span>. Try the suggestions below or type a new query above."

and dust template

var str = "><b><font%20face=%27tahoma%27><img%20height="%20300"%20width="%20400"%20src="%20http://talkingbiznews.com/wp-content/uploads/2013/08/hacked.jpg"%20><h1>content%20injection</h1></b>";

{@intlMessage _key="ZRP_MSG" query=str /}

formatjs / dust-intl

[Security] intlMessage doesn't escape/encode the output #50