### Eclipse Workspace Patch 1.0
#P drupal-contrib-5
Index: modules/l10n_client/l10n_client.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/l10n_client/l10n_client.module,v
retrieving revision 1.1.2.7
diff -u -r1.1.2.7 l10n_client.module
--- modules/l10n_client/l10n_client.module	29 Jul 2008 13:20:00 -0000	1.1.2.7
+++ modules/l10n_client/l10n_client.module	1 Aug 2008 20:48:01 -0000
@@ -204,11 +204,13 @@
     // TRUE means we don't have translation, so we use the original string,
     // so we always have the string displayed on the page in the dropdown.
     $original = $values[1] === TRUE ? $values[0] : $values[1];
-    // Remove html tags, at least for display
+    // Encode html tags, at least for display
     $original = htmlentities($original);
+    // Remove html tags, at least for display
+    $original = strip_tags($original);
     // Truncate and add ellipsis if too long.
-    $string = strip_tags(truncate_utf8($values[1] === TRUE ? $values[0] : $values[1], 78, TRUE));
-    $select_list[] = "<li class='$str_class'>" . $string . ($original == $string ? '' : '...') . "</li>";
+    $string = truncate_utf8($original, 78, TRUE);
+    $select_list[] = "<li class='$str_class'>". $string . ($original == $string ? '' : '...') .'</li>';
   }
   $output = implode("\n",$select_list);
   return "<ul class='string-list'>$output</ul>";
@@ -305,7 +307,7 @@
   foreach($strings as $values) {
     $source = $values[0] === TRUE ? '' : $values[0];
     $target = $values[1] === TRUE ? '' : $values[1];
-    $output .= "<div><span class='source'>$source</span><span class='target'>$target</span></div>";
+    $output .= "<div><span class='source'>". htmlentities($source) ."</span><span class='target'>". htmlentities($target) ."</span></div>";
   }
   return "<div id='l10n-client-data'>$output</div>";
 }