Default embed needs to escape output

Right now the widget is rendered as is if no routes match, allowing unsanitized html to be injected.  Looks like the sanitizer is catching these but we'll want to encode the content before rendering as an extra precaution.
