Click escapes Control values and attributes using HTML entities, which doesn't play nice when returning XML payloads for Ajax requests.
I suggest we only escape dangerous HTML characters > < " ' &, with the option of switching escaping off.
Is there any reason to escape all HTML entities?
PS: Apostrophe should be escaped as "& #039;" not "& apos;". apos is not a valid HTML entity