Fix XSS vulnerability

[paulyi]

Description
Any HTML contained in msg will be rendered in the dom. This creates an XSS vulnerability if msg could be user input.

Solution
Insert msg as text. This will just display the string as is without trying to render any possible HTML contained within it.

[j1mmie]

@SLMNBJ Our team here discovered an XSS vulnerability in this repo. Any chance you are free to review this PR, merge, and re-release to NPM? If not, not biggie, we can fork the project. Let us know if we can help in any way

[paulyi]

@SLMNBJ Just bumping one more time before we fork. Let us know if there's anything we can do to help.

[paulyi]

@SLMNBJ Thank you for merging this in! If it's not too much trouble, could we get a new version published to NPM as well?

Let us know if there's anything you need from us.

[SLMNBJ]

Hi @paulyi,

I published the new version on npm.

Thanks for the PR.