--- casetracker.module.orig	2010-06-28 23:41:01.000000000 +0200
+++ casetracker.module	2010-06-28 23:43:11.000000000 +0200
@@ -767,27 +767,27 @@ function theme_casetracker_comment_chang
         case 'pid':
           $old_title = db_result(db_query("SELECT title FROM {node} WHERE nid = %d", $old->pid));
           $new_title = db_result(db_query("SELECT title FROM {node} WHERE nid = %d", $new->pid));
-          $old->{$field} = l($old_title, "node/{$old->pid}");
-          $new->{$field} = l($new_title, "node/{$new->pid}");
+          $old->{$field} = l(check_plain($old_title), "node/{$old->pid}");
+          $new->{$field} = l(check_plain($new_title), "node/{$new->pid}");
           break;
         case 'case_status_id':
-          $old->{$field} = casetracker_case_state_load($old->{$field}, 'status');
-          $new->{$field} = casetracker_case_state_load($new->{$field}, 'status');
+          $old->{$field} = check_plain(casetracker_case_state_load($old->{$field}, 'status'));
+          $new->{$field} = check_plain(casetracker_case_state_load($new->{$field}, 'status'));
           break;
         case 'assign_to':
-          $old->{$field} = casetracker_get_name($old->{$field});
-          $new->{$field} = casetracker_get_name($new->{$field});
+          $old->{$field} = check_plain(casetracker_get_name($old->{$field}));
+          $new->{$field} = check_plain(casetracker_get_name($new->{$field}));
           break;
         case 'case_priority_id':
-          $old->{$field} = casetracker_case_state_load($old->{$field}, 'priority');
-          $new->{$field} = casetracker_case_state_load($new->{$field}, 'priority');
+          $old->{$field} = check_plain(casetracker_case_state_load($old->{$field}, 'priority'));
+          $new->{$field} = check_plain(casetracker_case_state_load($new->{$field}, 'priority'));
           break;
         case 'case_type_id':
-          $old->{$field} = casetracker_case_state_load($old->{$field}, 'type');
-          $new->{$field} = casetracker_case_state_load($new->{$field}, 'type');
+          $old->{$field} = check_plain(casetracker_case_state_load($old->{$field}, 'type'));
+          $new->{$field} = check_plain(casetracker_case_state_load($new->{$field}, 'type'));
           break;
       }
-      $rows[] = array(t('@label: @old &raquo; @new', array('@label' => $label, '@old' => $old->{$field}, '@new' => $new->{$field})));
+      $rows[] = array(t('@label: !old &raquo; !new', array('@label' => $label, '!old' => $old->{$field}, '!new' => $new->{$field})));
     }
   }