Index: branches/5.2.x/units/order_items/order_items_tag_processor.php
===================================================================
diff -u -N -r15600 -r15854
--- branches/5.2.x/units/order_items/order_items_tag_processor.php	(.../order_items_tag_processor.php)	(revision 15600)
+++ branches/5.2.x/units/order_items/order_items_tag_processor.php	(.../order_items_tag_processor.php)	(revision 15854)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: order_items_tag_processor.php 15600 2012-11-02 14:17:28Z alex $
+* @version	$Id: order_items_tag_processor.php 15854 2013-07-02 14:55:29Z alex $
 * @package	In-Commerce
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license	Commercial License
@@ -126,7 +126,9 @@
 						$block_params['price_type'] = $price_type;
 						$block_params['sign'] = $price >= 0 ? '+' : '-';
 					}
-					$block_params['value'] = htmlspecialchars($val, null, CHARSET);
+
+					// TODO: consider escaping in template instead
+					$block_params['value'] = kUtil::escape($val);
 					$block_params['type'] = $key_data['OptionType'];
 				}
 				$o .= $this->Application->ParseBlock($block_params, 1);
@@ -176,7 +178,10 @@
 		foreach ($values as $val) {
 			$i++;
 			$val = htmlspecialchars_decode($val);
-			$block_params['value'] = htmlspecialchars($val, null, CHARSET);
+
+			// TODO: consider escaping in template instead
+			$block_params['value'] = kUtil::escape($val);
+
 			if ($price_types[$val] == '$') {
 				$iso = $this->GetISO($params['currency']);
 				$value = $this->AddCurrencySymbol(sprintf("%.2f", $this->ConvertCurrency($prices[$val], $iso)), $iso, true); // true to force sign