XML Import: Fix php code injection vulnerability

Egidio Romano discovered a vulnerability in the XML import plugin.

User input passed through the "description" field (and the "issuelink"
attribute) of the uploaded XML file isn't properly sanitized before
being used in a call to the preg_replace() function which uses the 'e'
modifier. This can be exploited to inject and execute arbitrary PHP code
when the Import/Export plugin is installed.

This fix is a partial backport from a master branch commit which has
been confirmed as addressing the issue (84017535f8718685d755d58af7a39d80f52ffca8)
excluding changes not relevant to fixing the security issue, including
subsequent fixes (aea1a348043979e75a6cc021e4a0a7f8d3bb7211,
4350b4d4f0ee4fba423edcae1cd2117dc1e2d63b).

Fixes 0017725 (CVE-2014-7146)