While Hibernate Validator provides the tools to make this perfectly safe and also documents it properly, it looks like users are not very aware of it and have a tendency to push user input to custom constraint violation message templates.
We will have to release a 6.2 for that as it breaks compatibility with the older versions.