Fix issues with Xmf\Request::MASK_ALLOW_HTML

[geekwright]

FilterInput::clean() always filters HTML, thus ignoring the MASK_ALLOW_HTML if specified in Request.

• Add failing test for issue
• Non-configurable static clean() method documented as using default filter.
• Adds non static cleanVar() method that respects instantiated filters.
• Add tests for new method