I'm using the auto_nodetitles module in conjunction with the locations module to create a content type which populates it's node's title field with the location's name (using node location) via the htmlspecialchars_decode() function in PHP.

I stayed away from using tokens by themselves because sometimes a location might have an amberstand or an apostrophee, and they render with their HTML character representation, rather than the real chartacters.

My code looks like:

  $token = '[location-name_0]';
  if (empty($token)) {
    return '[type]';
  }
  else {
    return str_replace(array('&', '"', '''), array('&', '"', "'"), $token);
  } 

Is there another way of doing this without using the htmlspecialchars_decode() function? I looked into using the check_plain() function in Drupal but that will not deal with the ( & ' ) character issues.

To what extent is using the htmlspecialchars_decode() a security hole?

than