Fix #1361 to MBS-10576 opens for potential XSS injection in form field error messages since the View component assumes error messages are correctly HTML-encoded by the Model-Controller components which proved to be untrue at least once.

A safer implementation would be to create expandable objects instead of HTML strings and to convey it to the renderer and let it encode every string to HTML.