[eluser]Unknown[/eluser]
if field contains value such
'?auto_brand=1&auto;_model=&size=1'
xss_clean converts it to
'?auto_brand=1&auto;_model=&size=1'
and then shows 'Disallowed Key Characters.'
solved:
class Input
$str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);
change to
$str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]?)|i', $this->xss_hash()."\\1=\\2", $str);