Originally reported by: Marcel Bollmann (Bitbucket: mbollmann, GitHub: mbollmann)
Localization strings should always be HTML-escaped; the JavaScript functions do this implicitly by setting the string as "text" of the HTML elements, but the PHP functions just copy the string verbatim.
Originally reported by: Marcel Bollmann (Bitbucket: mbollmann, GitHub: mbollmann)
Localization strings should always be HTML-escaped; the JavaScript functions do this implicitly by setting the string as "text" of the HTML elements, but the PHP functions just copy the string verbatim.