In 3.0, the filespec class was provided with a raw $_FILES array, which meant that it had to run the file name through htmlspecialchars() itself. In 3.1, it's provided with the result from request.file() which has the file name already sanitized, but the filespec class still has the same behaviour as 3.0. So, the file name is run through htmlspecialchars() twice resulting in a name such as ajax_&<b>error.png ultimately becoming

ajax_&<b>error.png