After updating to Spring 5 all output from Spring freemarker macros are escaped. In <@spring.message> the message is escaped and in <@spring.formRadioButtons> the separator attribute is escaped f.x. "<br/>".
I've added corresponding ?no_esc declarations to the separators and to message rendering, both of which have indeed been an oversight. This is in master for 5.1.0.BUILD-SNAPSHOT now; I'll backport it to 5.0.8 ASAP.
Please give this a try against a recent snapshot: either 5.1.0.BUILD-SNAPSHOT or 5.0.8.BUILD-SNAPSHOT, available via Maven from https://repo.spring.io/snapshot... and let me know whether the default escaping behavior is now reasonably compatible with Spring 4.x again.
I see how this issue repairs compatibility with Spring 4. However, for those of us who expected some upgrade issues upgrading to Spring 5, observed this behavior change, and changed their code accordingly, this change in a minor release (5.0.7 -> 5.0.8) can introduce a MAJOR XSS vulnerability. Because we were now relying on freemarker properly escaping all messages, which it doesn't do anymore.
In fact, the only way to get proper escaping now, is to set <context-param><param-name>defaultHtmlEscape</param-name></context-param> in web.xml, but I can't find an equivalent in a MockMvc/HtmlUnit test setting.