Index: wp-includes/formatting.php
===================================================================
--- wp-includes/formatting.php	(revision 5645)
+++ wp-includes/formatting.php	(working copy)
@@ -1075,7 +1075,7 @@
 	return apply_filters('richedit_pre', $output);
 }
 
-function clean_url( $url, $protocols = null ) {
+function clean_url( $url, $protocols = null, $context = 'display' ) {
 	if ('' == $url) return $url;
 	$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%]|i', '', $url);
 	$strip = array('%0d', '%0a');
@@ -1085,8 +1085,9 @@
 	if ( strpos($url, '://') === false &&
 		substr( $url, 0, 1 ) != '/' && !preg_match('/^[a-z0-9-]+?\.php/i', $url) )
 		$url = 'http://' . $url;
-	
-	$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
+
+	if ( 'display' == $context )
+		$url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
 	if ( !is_array($protocols) )
 		$protocols = array('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet'); 
 	if ( wp_kses_bad_protocol( $url, $protocols ) != $url )
Index: wp-includes/widgets.php
===================================================================
--- wp-includes/widgets.php	(revision 5645)
+++ wp-includes/widgets.php	(working copy)
@@ -872,7 +872,7 @@
 	$options = $newoptions = get_option('widget_rss');
 	if ( $_POST["rss-submit-$number"] ) {
 		$newoptions[$number]['items'] = (int) $_POST["rss-items-$number"];
-		$url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"])));
+		$url = clean_url(strip_tags(stripslashes($_POST["rss-url-$number"])), '', 'save');
 		$newoptions[$number]['title'] = trim(strip_tags(stripslashes($_POST["rss-title-$number"])));
 		if ( $url !== $options[$number]['url'] ) {
 			require_once(ABSPATH . WPINC . '/rss.php');