Afterhave proven that even battle hardened core developers can't write XSS free code we have introduced to fix a torrent of security holes already present in core known and unknown and to avoid the most frequent kind of sechole(Security Hole) in the history of Drupal contrib. However, this has broken some places that were already securely written, resulting in broken layout and HTML tags shown to users. We need to find those places and update them to be compatible with the new method.
Can be tricky to discover the double escaping.
@dawehner's and @joelpittet's idea about testing existing checked routes that are already tested for double escaping.
Duckpatch drupalGet/drupalPost methods in simpletest to check for double escaping on pages.
Potentially a more permanent fixture could be possible.
FAILED: [[SimpleTest]]: [PHP 5.5 MySQL] 146,825 pass(es), 161 fail(s), and 0 exception(s). View