Apostrophes in mouseover show as '

Hello, I have this problem too. I removed the checkplain() function around the tooltip and alt everywhere (in image.module) and now it seems to work. My site didn't explode yet.

It's probably not the best way to solve this problem.

http://api.drupal.org/api/function/check_plain/6

check_plain uses the flag ENT_QUOTES in it's call to htmlspecialchars which is converting the single quote.

The encoding can't be converted back to a single quote in the title attribute. Perhaps replacing check_plain($tooltip) with htmlspecialchars($tooltip, ENT_COMPAT, 'UTF-8'); is an acceptable alternative? Then at least we're still filtering the output.

Can the title attribute actually execute html code anyway? Perhaps the filtering is not necessary. I'm happy to make a patch if the maintainers think either htmlspecialchars or simply removing the check is acceptable.

Some conversion must be done. If the tool text passed contains a double quote, that would close the tag prematurely and leave the module open to XSS or other page hijacking. However, when I checked with several different browsers (Safari, Chrome, OmniWeb and Firefox (both 3.6 and the new 4.0)), no decoding of any HTML entities was performed by any of them. >, <, " and ' were all shown as HTML entities &gt; &lt; &quot; and &#039; respectively.

I'm going to mark this "won't fix" because:

1. Calling check_plain() is consistent with other Drupal modules (e.g, imagecache, lightbox2 and imagefield)
2. A proper encoding should remove HTML tags intelligently
* The tool tip "Show some emphasis!" should become "Show some emphasis!"
* The tool tip "

" should be blank.
3. Such a function should be a Drupal core function peered with check_plain()

If you open a bug with the core, note it here and I'll support your efforts with the core team.