Fix missing escaping in sort()

Cake/Test/TestCase/View/Helper/PaginatorHelperTest.php

@@ -247,6 +247,30 @@ public function testSortLinks() {
 		$this->assertTags($result, $expected);
 	}
 
+/**
+ * test sort() with escape option
+ */
+	public function testSortEscape() {
+		$result = $this->Paginator->sort('title', 'TestTitle >');
+		$expected = array(
+			'a' => array('href' => '/index?sort=title&direction=asc'),
+			'TestTitle >',
+			'/a'
+		);
+		$this->assertTags($result, $expected);
+
+		$result = $this->Paginator->sort('title', 'TestTitle >', ['escape' => true]);
+		$this->assertTags($result, $expected);
+
+		$result = $this->Paginator->sort('title', 'TestTitle >', ['escape' => false]);
+		$expected = array(
+			'a' => array('href' => '/index?sort=title&direction=asc'),
+			'TestTitle >',
+			'/a'
+		);
+		$this->assertTags($result, $expected);
+	}
+
 /**
  * test that sort() works with virtual field order options.
  *

Cake/View/Helper/PaginatorHelper.php

@@ -383,8 +383,11 @@ public function next($title = 'Next >>', $options = []) {
  *  key the returned link will sort by 'desc'.
  * @link http://book.cakephp.org/2.0/en/core-libraries/helpers/paginator.html#PaginatorHelper::sort
  */
-	public function sort($key, $title = null, $options = array()) {
-		$options = array_merge(array('url' => array(), 'model' => null), $options);
+	public function sort($key, $title = null, $options = []) {
+		$options = array_merge(
+			['url' => array(), 'model' => null, 'escape' => true],
+			$options
+		);
 		$url = $options['url'];
 		unset($options['url']);
 
@@ -423,7 +426,7 @@ public function sort($key, $title = null, $options = array()) {
 			['order' => null]
 		);
 		$vars = [
-			'text' => $title,
+			'text' => $options['escape'] ? h($title) : $title,
 			'url' => $this->url($url),
 		];
 		return $this->_templater->format($template, $vars);