### Eclipse Workspace Patch 1.0
#P drupal-contrib-5
Index: modules/l10n_client/l10n_client.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/l10n_client/l10n_client.module,v
retrieving revision 1.1.2.5
diff -u -r1.1.2.5 l10n_client.module
--- modules/l10n_client/l10n_client.module	4 Jan 2008 13:38:29 -0000	1.1.2.5
+++ modules/l10n_client/l10n_client.module	26 Apr 2008 20:24:39 -0000
@@ -223,11 +223,13 @@
     // TRUE means we don't have translation, so we use the original string,
     // so we always have the string displayed on the page in the dropdown.
     $original = $values[1] === TRUE ? $values[0] : $values[1];
-    // Remove html tags, at least for display
+    // Encode html tags, at least for display
     $original = htmlentities($original);
+    // Remove html tags, at least for display
+    $original = strip_tags($original);
     // Truncate and add ellipsis if too long.
-    $string = strip_tags(truncate_utf8($values[1] === TRUE ? $values[0] : $values[1], 78, TRUE));
-    $select_list[] = "<li class='$str_class'>" . $string . ($original == $string ? '' : '...') . "</li>";
+    $string = truncate_utf8($original, 78, TRUE);
+    $select_list[] = "<li class='$str_class'>". $string . ($original == $string ? '' : '...') .'</li>';
   }
   $output = implode("\n",$select_list);
   return "<ul class='string-list'>$output</ul>";
@@ -297,7 +299,7 @@
   foreach($strings as $values) {
     $source = $values[0] === TRUE ? '' : $values[0];
     $target = $values[1] === TRUE ? '' : $values[1];
-    $output .= "<div><span class='source'>$source</span><span class='target'>$target</span></div>";
+    $output .= "<div><span class='source'>". htmlentities($source) ."</span><span class='target'>". htmlentities($target) ."</span></div>";
   }
   return "<div id='l10n-client-data'>$output</div>";
 }