feat(core) Fix various cases of HTML escaping

msgPool always returns escaped string because it may be used from
 smarty.
htmlescape now calls htmlspecialchars instead of htmlentities, allowing
 to escape strings with % without losing sprintf capability.

issue #6071