I suspect the scanner parses the HTML after the payload is generated and spots unescaped HTML inside a quoted attribute’s value, then wrongly flags it as exploitable. But in reality—it’s not.
For unescaped HTML inside an attribute’s value to be dangerous, it would have to break out of the quotes—and that’s not possible here, since we’re correctly escaping quotes of the user’s input.