All the getText() methods on com.atlassian.confluence.util.i18n.DefaultI18NBean are anontated as HtmlSafe which means that any parameter which gets passed in as an argument will not be auto html encoded by the Anti-XSS module.

The most straight forward way to fix this is to wrap the parameter inside double quotes to get it evaluated by Velocity before passing it to the getText() methods. The evaluation makes sure the value get auto html encoded.
For example convert

$action.getText("title.remove.page", [$action.getPage().getTitle()])

to

$action.getText("title.remove.page", ["$action.getPage().getTitle()"])

The optimal fix would be to not mark those methods as HtmlSafe and instead have no html tags in our i18n messages (namely ConfluenceActionSupport.properties). But that seems not feasible at this time as there are too many html tags in there which could not be easily removed.