If you edit the user.ini file yourself you may get the option anti-xss bugged.
It says it is activated but when you go to the config file phpIniOverride, the line where the open_basedir goes is commented.
In a nutshell, anti-xss does the opposite thing, while activated comments it out and when disabled it removes #.
If you remove it yourself and save it will still happen, you have to unmark and mark anti-xss again.
If you don't manage to replicate it tell me.