Upon switching to emails as usernames in login forms, in case of login failure I get the ${SPRING_SECURITY_LAST_USERNAME} email-username displayed with escape characters instead of the original @ . - etc'.. this is of course very user unfriendly.

I am aware of the character escaping done on SPRING_SECURITY_LAST_USERNAME attribute value due to possible XSS attacks:
https://jira.springsource.org/browse/SEC-1377
https://jira.springsource.org/browse/SEC-812

However this leaves me in kind of an odd position, where I have to choose between basic user friendliness and application security, while implementing a rather common feature which is email addresses as usernames.

It's somewhat peculiar - XSS attacks are common to all web apps not just spring security. Is it actually possible that any web app that displays the attempted username-email is vulnerable to the that attack??

I'll be happy to know if there a way to resolve this without compromising
security.

Yuval