You probably have this setting in your Config.groovy:
grails.views.default.codec = "html"
It means that in all ${} expressions in GSPs, special HTML characters like '<' and '>' will be encoded. In general this is a reasonable setting because it prevents XSS attacks.
If you need to avoid this default behaviour for one specific expression, you can use this:
<td><%=params?.query?name.replace(params.query,'<span>'+params.query+'</span>'):name%></td>