CargoQueryDisplayer::getTextSnippet() calls html_entity_decode( $snippet ). This undos escaping, resulting in an XSS.
Steps to reproduce:
Have a cargo field named field of type Searchtext. Put the following value in it <script>alert(1)</script> foo bar
Have a cargo query like follows:
{{#cargo_query: tables=Test |fields=field |format=table |where=field matches 'foo' }}
Note the alert box that pops up.