Illegal XML in Model's Instance Edit View causes Model Property rendering to crash

(Bug, To be Fixed , Priority: Medium, Test Status: No automated tests yet , Reported By Justin du Coeur, )
Editor, Model Types
Summary: Suffice it to say, when we render a Model Type for editing, it can't cope with malformed XML in text.
The recipe here is a bit complex, but I hit it in A Respectful Calm. It goes like this.
Casting Form Model is a fairly complex input form that we use for casting. This includes input fields and a bunch of custom text, in an elaborate Instance Edit View. In that text, we included a link, and that link includes an ampersand.
We then have the Casting Form Property, which is a User Value Property based on Casting Form Model. The Casting Questionnaire then includes Casting Form, so going to that page shows the form for this user.
The problem is that the raw ampersand is causing a crash way deep in the system: specifically, where XmlHelpers.parseXhtmlFragment() tries to parse the XML. This is a very stringent parser, and chokes on the ampersand, giving a cryptic "Expected ';'" error. This is being called from ModelType.renderInputXml(), in order to take the results of the rendered wikitext and turn it back into Nodes.
The best fix to the immediate problem may be to rework the stack a bit, so that we stop this nonsensical translation back and forth between Wikitext and NodeSeq. But that's not easy.
Is there any security risk here? How should ampersands be treated as they come through the wikitext system?