From e8d12345da4324ad3b7a9cde4a387355326d515d Mon Sep 17 00:00:00 2001
From: Eileen McNaughton <emcnaughton@wikimedia.org>
Date: Tue, 21 Dec 2021 11:18:41 +1300
Subject: [PATCH] dev/core#3001 escape single quotes when rendering tokens in
 html format

---
 Civi/Token/TokenRow.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Civi/Token/TokenRow.php b/Civi/Token/TokenRow.php
index 29ad5a2559..6701008391 100644
--- a/Civi/Token/TokenRow.php
+++ b/Civi/Token/TokenRow.php
@@ -280,7 +280,7 @@ class TokenRow {
                 $htmlTokens[$entity][$field] = \CRM_Utils_String::purifyHTML($value);
               }
               else {
-                $htmlTokens[$entity][$field] = is_object($value) ? $value : htmlentities($value);
+                $htmlTokens[$entity][$field] = is_object($value) ? $value : htmlentities($value, ENT_QUOTES);
               }
             }
           }
-- 
2.25.1