The following components do not escape input by default on submission: FileHandler, HiddenHandler, PasswordHandler, ResetHandler, SelectHandler, SubmitHandler, and TextFieldHandler. This opens up an XSS vulnerability by default.
They currently do something like:
.addIfExists("value", params.get("nameValue"), false)
.addIfExists("value", params.get("nameValue"), true)
I vote it defaults to escaping. Having an attribute added to toggle it would be nice too.