Sanitizer::escapeId: Decode entity before replacing spaces
Having   inside header should not lead to ids with a plus.
This was correct when using the experimental ids, because there the
decode was done first and then spaces were replaced by underscores.
The non-experimental way replaced spaces with underscores and then
decoded the  , which results in a space that is URL-encoded to +.
Added also a parser test for headers with space, plus and underscore as
entity.
Change-Id: I455e38c7a9777a42a5cef2dc80bebb3c19ac4700