The "Anti-XSS" setting should be removed from the Admin console. It was originally there as a compatibility measure, and has been enabled by default since 3.0 or 3.1.
Instances with it turned off should be upgraded to have it on by default as part of this fix. We should add a system property to disable it in case someone really needs to turn it off.
See also: CONF-21051.