I believe by default <c:out>
escapes XML. You'll need to explicitly tell it not to with
<c:out escapeXml="false" value="${theMessage}"/>
Can't find newer docs, but see here. Among the attributes, you have
escapeXml
Determines whether characters <,>,&,'," in the resulting string should be converted to their corresponding character entity codes. Default value is true.