It seems this widget is bugged as it should not render potential user input as HTML either way, especially not without an explicit setting. But you can escape the HTML so it doesn't show the HTML but the text. For example the Apache Commons library has a class for this, org.apache.commons.lang.StringEscapeUtils, so you could do this in a Java action. Simply call StringEscapeUtils.escapeHtml() and you'll get a string back that has the HTML characters escaped. So for example the < will be replaced with < (notice I had to double escape these characters to make them show properly here too)
I filed a bug report. I hadn't thought of the security impact yet but you are absolutely right Bas.
Now the newbie question: how to create the Java Action? (Assuming that the Java Action is the way to go) I've never done this so could you give a hint? I know how to add a Java Action, but I'm lost on what to specify where.
I suggest filing a bug/ feature request at support.mendix.com