form_prep doesn't correctly use already prepped fields in CI 1.7.2

[eluser]kenjis[/eluser]
If 1.7.2's form_prep is a spec, there is a seurity problem like this:

In Japan in general confirmation page is required. In confirmation page,
if we use hidden input tag to pass the user input data when a user is back to input
page, there is XSS vulnerabirity.

Code:

<dl>
  <dt>name:</dt>
  <dd>&lt;?php echo set_value('name'); ?&gt;</dd>
  <dt>e-mail:</dt>
  <dd>&lt;?php echo set_value('email'); ?&gt;</dd>
  <dt>subject:</dt>
  <dd>&lt;?php echo set_value('subject'); ?&gt;</dd>
  <dt>body:</dt>
  <dd>&lt;?php echo nl2br(set_value('body')); ?&gt;</dd>
</dl>

<div>
  &lt;form action="&lt;?php echo site_url('form'); ?&gt;" method="post"&gt;
    &lt;?php echo form_hidden('name', set_value('name')); ?&gt;
    &lt;?php echo form_hidden('email', set_value('email')); ?&gt;
    &lt;?php echo form_hidden('subject', set_value('subject')); ?&gt;
    &lt;?php echo form_hidden('body', set_value('body')); ?&gt;
    <p>&lt;input type="submit" value="back to input page" /&gt;&lt;/p>
  &lt;/form&gt;
  &lt;form action="&lt;?php echo site_url('form/post'); ?&gt;" method="post"&gt;
    &lt;?php echo form_hidden('name', set_value('name')); ?&gt;
    &lt;?php echo form_hidden('email', set_value('email')); ?&gt;
    &lt;?php echo form_hidden('subject', set_value('subject')); ?&gt;
    &lt;?php echo form_hidden('body', set_value('body')); ?&gt;
    <p>&lt;input type="submit" value="send" /&gt;&lt;/p>
  &lt;/form&gt;
</div>