Allow not including the received (invalid) value in the error message created by DefaultDecodeFailureHandler

[adamw]

Or, sanitize it so that it's not html

See https://softwaremill.community/t/defaultdecodefailurehandler-and-potential-xss-on-the-client-side/459