Don't double-escape project names in base layout.

app/helpers/application_helper.rb

@@ -413,7 +413,7 @@ module ApplicationHelper
       title = []
       title << h(@project.name) if @project
       title += @html_title if @html_title
-      title << Setting.app_title
+      title << h(Setting.app_title)
       title.select {|t| !t.blank? }.join(' - ')
     else
       @html_title ||= []

app/views/layouts/base.rhtml

@@ -2,7 +2,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <head>
 <meta http-equiv="content-type" content="text/html; charset=utf-8" />
-<title><%=h html_title %></title>
+<title><%= html_title %></title>
 <meta name="description" content="<%= Redmine::Info.app_name %>" />
 <meta name="keywords" content="issue,bug,tracker" />
 <%= csrf_meta_tag %>

test/integration/layout_test.rb

@@ -60,4 +60,15 @@ class LayoutTest < ActionController::IntegrationTest
       :attributes => {:src => %r{^/javascripts/jstoolbar/textile.js}},
       :parent => {:tag => 'head'}
   end
+
+  test "page titles should be properly escaped" do
+    project = Project.generate(:name => "C&A")
+
+    with_settings :app_title => '<3' do
+      get "/projects/#{project.to_param}"
+
+      assert_select "title", /C&amp;A/
+      assert_select "title", /&lt;3/
+    end
+  end
 end