Index: wp-includes/pluggable.php
===================================================================
--- pluggable.php	(revision 14510)
+++ pluggable.php	(working copy)
@@ -904,6 +904,8 @@
 	// remove %0d and %0a from location
 	$strip = array('%0d', '%0a', '%0D', '%0A');
 	$location = _deep_replace($strip, $location);
+	// convert any & to &
+	$location = str_replace(array('&', '#038;'), '&', $location);
 	return $location;
 }
 endif;


Index: wp-includes/functions.php
===================================================================
--- functions.php	(revision 14510)
+++ functions.php	(working copy)
@@ -1868,8 +1868,8 @@
  * @return string URL with nonce action added.
  */
 function wp_nonce_url( $actionurl, $action = -1 ) {
-	$actionurl = str_replace( '&', '&', $actionurl );
-	return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
+	// $actionurl = str_replace( array('&', '&038;'), '&', $actionurl );
+	return esc_html( wp_sanitize_redirect( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ) );
 }