I changed line 429 from:
$time_companyID = str_replace(array('\r\n', '\r', '\n', ','), ' ', $rsCONT->getColumnVal('company'));
to:
$time_companyID = str_replace(array('\r\n', '\r', '\n', ','), ' ', $rsCONT->getColumnVal('company',false));
and that fixed it. Adding the false argument to a getColumnVal() method call prevents html encoding.