The form module html escapes by default inputs. This is in certain situations not good.
Clearly in the password field, as it won't store the PW with allowed characters different than the 1:1 input. This leads to problems when reusing the PW also for other systems.

Also the customer needs to store from other fields inputs which are unchanged (see linked support ticket). Examples as original value to store

Research & Development

becomes

Research & Development

The problem is this line in the info.magnolia.module.form.templates.components.DefaultFormDataBinder#bindAndValidateFields method:

final String value = EscapeUtil.escapeXss(StringUtils.join(MgnlContext.getParameterValues(controlName), "__"));

Suggested solution:
All form fields should be html escaped to prevent XSS attacks.
But allow a configuration on the form field to disable it for this specific field.