When saving a field as plain text, the new field content would be

returned as HTML (through the use of force_text_type=html). This would

result in certain characters being encoded (which is also true when

loading the page initially). We then attempted to encode the text on

load again, leading to double-encoding.
We now turn off the second encoding when we render the text, preventing

this from happening.

Tested built-in and custom fields with a variety of content, including XSS

attempts, with text types set for markdown and for plain text.
I only ever saw proper rendered output, without anything improperly

rendered or executed.