xss cleaner is goobering up a title, and I'm not sure how to fix it.

[robinsowell]

I have a title that has &FS in it as part of an acronym. It gets a ; stuck on the end after saving the entry. I tracked it down to the XSS security library:

        /*
         * URL Decode
         *
         * Just in case stuff like this is submitted:
         *
         * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
         *
         * Only operate inside tags since those the only ones a browser is going to decode
         *
         */
        $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", [$this, 'decodeUrlCallback'], $str);

I'm not even sure it's a bug per se, but it's problematic for this entry.

[shbchk]

I guess, this issue goes here also:

I got this title: "Ape&Bjørn"

After saving it becomes Ape&Bj;ørn;

[shbchk]

Just got another one

Fabian&Fred;

[intoeetive]

The XSS filter is indeed changing the input in some cases where there's really no XSS

@TomJaeger - we need to reconsider what we've discussed about updating XSS library