Example:
set message as : "><img src=x onerror=alert(1)>

Suggestion:
The message should be escaped by default.