I was having a look at the new xmlunescape function recently added, and think there might be a bug or two in the escaping code.
Firstly:
getText: function (elem)
{
if (!elem) { return null; }
var str = "";
if (elem.childNodes.length === 0 && elem.nodeType ==
Strophe.ElementType.TEXT) {
str += elem.nodeValue;
}
for (var i = 0; i < elem.childNodes.length; i++) {
if (elem.childNodes[i].nodeType == Strophe.ElementType.TEXT) {
str += elem.childNodes[i].nodeValue;
}
}
return Strophe.xmlescape(str);
},

That xmlescape has been there for a while, but I'm wondering if that should perhaps have been an unescape, rather than escape, and should be calling the new xmlunescape function?

The code seems to use xmlescape when creating TEXT nodes (and attribute values), so I would have thought when we extract text back out of them, we should be unescaping rather than escaping, but perhaps I'm misreading the code?

I also wonder if the following code for escaping attribute values should just be calling the xmlescape function?:
for (i = 0; i < elem.attributes.length; i++) {
if(elem.attributes[i].nodeName != "_realname") {
result += " " + elem.attributes[i].nodeName.toLowerCase() +
"='" + elem.attributes[i].value
.replace(/&/g, "&")
.replace(/'/g, "'")
.replace(/>/g, ">")
.replace(/</g, "<") + "'";
}
}
Strictly speaking, we don't need to escape " as we are enclosing in an apostrophe pair (a bit hard to tell with my browser font), but just in case, and for reducing code duplication it probably makes sense to just use the xmlescape function here, as I don't think it is worth the near duplication just to remove one replace call in the chain.

Oops, sorry realised I was looking at old repo, not new one, the attribute escaping is already fixed, and I'll open the potential issue with calling escape instead of unescape on the official repo.