[eluser]jeffpeck[/eluser]
As for the html entities, that is not a bug. HTML tags must be encoded before being sent so to not confuse with the xml, and therefore need to be decoded on return.
It is more an issue that I should be able to choose whether I want to xss clean everything that comes through XMLRPC, just like I can do with POST and GET. I understand that one might want to remove any malicious code from a response, for example if one were to use XMLRPC as a web service backend to a public blog where you can't have people posting [removed] tags in their blog entries to steal cookies, etc. But in a controlled environment where you need the ability to send unaltered HTML, this is a major drawback.
I do not like the idea of editing the files in the /system/ directory since then I have to remember to change it when there is an update.
I am currently working on finding a nice clean way to encode/decode any strings that are sent or received so the XSS cleaner won't even recognize them.