It appears that the only way the messages properly render from the renderValidationScript is by setting the default codec to 'none'. Otherwise the quotes around the messages are escaped.

This leaves the application vulnerable. Should be able to encode your page as html, but have the output from the tag not be encoded.