I guess this will depend on what version of Magento you are running. The default location for the template in question can be found at app/design/frontend/base/default/template/customer/form/forgotpassword.phtml. The only value that is user editable that is echo’d out to the screen is the e-mail address, certainly in Magento 1.6 this is being passed through the template blocks htmlEscape method, but it’s worth checking that it is in your version of Magento.

<input type="text" name="email" alt="email" id="email_address" class="input-text required-entry validate-email" value="<?php echo $this->htmlEscape($this->getEmailValue()) ?>" />

If you find that it already is then it would be worth checking that this template isn’t being overloaded in your current theme.