From 8306444494c9fd69dc3df04904fe9a2b1f56e39f Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Wed, 18 Oct 2006 18:00:40 +0000
Subject: - Patch #78399 by Eaton and chx: don't allow HTML in the title.

---
 includes/theme.inc | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'includes')

diff --git a/includes/theme.inc b/includes/theme.inc
index 65be70305..043e4e2bd 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -530,12 +530,18 @@ function theme_links($links, $attributes = array('class' => 'links')) {
       $extra_class = ($i == 1) ? 'first ' : (($i == $num_links) ? 'last ' : '');
       $output .= '<li class="'. $extra_class . $class .'">';
 
+      // Is the title HTML?
+      $html = isset($link['html']) && $link['html'];
+
       if ($link['href']) {
-        $output .= l($link['title'], $link['href'], $link['attributes'], $link['query'], $link['fragment']);
+        $output .= l($link['title'], $link['href'], $link['attributes'], $link['query'], $link['fragment'], FALSE, $html);
       }
       else if ($link['title']) {
         //Some links are actually not links, but we wrap these in <span> for adding title and class attributes
-        $output .= '<span'. drupal_attributes($link['attributes']) .'>'. check_plain($link['title']) .'</span>';
+        if (!$html) {
+          $link['title'] = check_plain($link['title']);
+        }
+        $output .= '<span'. drupal_attributes($link['attributes']) .'>'. $link['title'] .'</span>';
       }
 
       $i++;
-- 
cgit v1.2.3