sanitize replace & with & on whitelisted elements

gistfile1.txt

my processor:
  OK_FLASH = /^http:\/\/(?:www\.)?youtube\.com\/v\/|^http:\/\/(?:\w+\.)?grooveshark\.com\/songWidget.swf/
  
  # how to easily replace @ reload without reloading full server?
  T_YOUTUBE = lambda do |env|
    node      = env[:node]
    node_name = env[:node_name]
    parent    = node.parent
    
    return nil unless (node_name == 'param' || node_name == 'embed') &&
        parent.name.to_s.downcase == 'object'
    
    if node_name == 'param'
      # Quick XPath search to find the <param> node that contains the video URL.
      return nil unless movie_node = parent.search('param[@name="movie"]')[0]
      url = movie_node['value']
    else
      # Since this is an <embed>, the video URL is in the "src" attribute. No
      # extra work needed.
      url = node['src']
    end
    
    #d "testing url #{url}"
    return nil unless url =~ OK_FLASH
    #d "allowing #{url}"
        
    # strip autoplays.  hmm, removing p=1 could be dangerous?
    node['value'] = node['value'].gsub(/autoplay=1|p=1/i,"").gsub(/&amp;/,"&") if node['value']
    node['src'] = node['src'].gsub(/autoplay=1|p=1/i,"").gsub(/&amp;/,"&") if node['src']
    
    #d "value, src", node['value'], node['src']
    # We're now certain that this is a YouTube embed, but we still need to run
    # it through a special Sanitize step to ensure that no unwanted elements or
    # attributes that don't belong in a YouTube embed can sneak in.
    # flashvars
    
    #egads, starting to look more sensible to replace allowed elements to [grooveshark 1221111] again.
    Sanitize.clean_node!(parent, {
      :elements   => ['embed', 'object', 'param'],
      :attributes => {
        'embed'  => ['allowfullscreen', 'allowscriptaccess', 'height', 'src', 'type', 'width','flashvars','type'],
        'object' => ['height', 'width'],
        'param'  => ['name', 'value']
      }
    })

    # so even though embed is disallowed, this will whitelist this node.  need to pass node to have changes reflected

    # Now that we're sure that this is a valid YouTube embed and that there are
    # no unwanted elements or attributes hidden inside it, we can tell Sanitize
    # to whitelist the current node (<param> or <embed>) and its parent
    # (<object>).
    {:node_whitelist => [node, parent]}
  end if !defined? T_YOUTUBE
  

embed: 

<object width="250" height="40"> <param name="movie" value="http://grooveshark.com/songWidget.swf" /> <param name="wmode" value="window" /> <param name="allowScriptAccess" value="always" /> <param name="flashvars" value="hostname=cowbell.grooveshark.com&widgetID=25096656&style=metal&p=0" /> <embed src="http://grooveshark.com/songWidget.swf" type="application/x-shockwave-flash" width="250" height="40" flashvars="hostname=cowbell.grooveshark.com&widgetID=25096656&style=metal&p=0" allowScriptAccess="always" wmode="window" /></object>


results:

*mystring.rb:207 --- 
- value, src
- http://grooveshark.com/songWidget.swf
- 
*mystring.rb:207 --- 
- value, src
- window
- 
*mystring.rb:207 --- 
- value, src
- always
- 
*mystring.rb:207 --- 
- value, src
- hostname=cowbell.grooveshark.com&widgetID=25096656&style=metal&p=0
- 
*mystring.rb:207 --- 
- value, src
- 
- http://grooveshark.com/songWidget.swf
*mystring.rb:457 --- 
- after cleaning
- |-
  adsf
  
  <object width="250" height="40"> <param name="movie" value="http://grooveshark.com/songWidget.swf">
  <param name="wmode" value="window">
  <param name="allowScriptAccess" value="always">
  <param name="flashvars" value="hostname=cowbell.grooveshark.com&amp;widgetID=25096656&amp;style=metal&amp;p=0">
  <embed src="http://grooveshark.com/songWidget.swf" type="application/x-shockwave-flash" width="250" height="40" flashvars="hostname=cowbell.grooveshark.com&amp;widgetID=25096656&amp;style=metal&amp;p=0" allowscriptaccess="always"></embed></object>

Somehow the &'s get replaced with &amp;, despite being fine when I'm checking the 'value' parameter inside the filter, and whitelisting the current node.

Any tips welcome & thanks for a great project!