No, it isn't. That username/password can be used to access an object
that you presumably want everyone who can access the web page
containing that URL to be able to get to. Since they can get the
object from that web page, there shouldn't be any harm in them having
the username/password pair.
Now, if that username/password pair is used to protect something in
addition to the object the URL points at, then something stupid is
going on. It's that someone is trying to use a single
username/password pair to protect two different things at (presumably)
different levels of security. The latter thing should be fixed.
BTW, even if you could encrypt the HTML in some way, you've still got
to prevent the browser from displaying the URL of the document it
fetches, as that will contain the username/password pair as well.
<mike