I would not recommend showing a user's password for security reasons. If you do show it thought, then using xss_clean would probably complicate things as it probably removes or escapes some special chars like <, > and &.