Stanzas that are shared in a MUC are typically addressed to semi-anonymous addresses. Instead of the 'real' JID of an occupant a 'room' JID is used (in the form of roomname@conferenceserver/nickname. (Depending on the room configuration, the real JID of a user can be included as well, but that's besides the point for this issue).

When a message is routed, Openfire will replace the room JID for the real JID, just before the message is being delivered to the end client.

Some processing can occur after a stanza is routed (for example, event listeners can be triggered). Unless a defensive copy is made of the stanza, this post-processing operates on the stanza that was delivered to the end-user - where a room JID has been replaced with a real JID. This is undesirable, as it can expose the real JID (for example when the original sender retrieves the message from a message archive).

Routing should not affect the stanza that is being post-processed.