The default error handling for DefaultDecodeFailureHandler returns the invalid value in the response[1]. As the Content-Type header is set then this is not a direct XSS vulnerability, but it makes it easier for the client to expose itself to such issues.
Is it worth looking into if the default behavior should not contain the invalid values, or sanitize the content?
Hm the invalid values are useful, especially when the validation error comes from a field nested somewhere in the body. It then makes it easier to pinpoint the problem.
What kind of sanitization do you think we could do?