From 3057c51f19b668b88716cf4f904ae9de4645fbb7 Mon Sep 17 00:00:00 2001
From: Mark Carver <mark.carver@me.com>
Date: Tue, 4 Apr 2017 14:38:08 -0500
Subject: [PATCH] Issue #2866798 by donquixote: bootstrap_menu_local_task()
 filters twice

---
 templates/menu/menu-local-task.func.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/templates/menu/menu-local-task.func.php b/templates/menu/menu-local-task.func.php
index 8c5a839..a0e65d6 100644
--- a/templates/menu/menu-local-task.func.php
+++ b/templates/menu/menu-local-task.func.php
@@ -26,9 +26,16 @@ function bootstrap_menu_local_task($variables) {
 
   $options = isset($link['localized_options']) ? $link['localized_options'] : array();
 
-  // Filter the title if the "html" is not set, otherwise l() will automatically
-  // sanitize using check_plain(), so no need to call that here.
-  $title = empty($options['html']) ? filter_xss_admin($link['title']) : $link['title'];
+  // Filter the title if the "html" is not set and indicate to l() by setting
+  // "html" since it was just filtered.
+  if (empty($options['html'])) {
+    $title = filter_xss_admin($link['title']);
+    $options['html'] = TRUE;
+  }
+  // Otherwise, just pass the title as is and l() will use check_plain().
+  else {
+    $title = $link['title'];
+  }
 
   $href = $link['href'];
   $attributes = array();
-- 
2.12.0