Added some more XSS checks

taxonomy_formatter.info

+name = Taxonomy Formatter
+description = "Add a formatter to taxonomy terms that allows selection of element type, wrapper type, and separators."
+package = Fields
+core = 7.x
+files[] = taxonomy_formatter.module
\ No newline at end of file

taxonomy_formatter.module

@@ -98,20 +98,20 @@ function taxonomy_formatter_field_formatter_settings_form($field, $instance, $vi
 function taxonomy_formatter_field_formatter_settings_summary($field, $instance, $view_mode) {
   $display = $instance['display'][$view_mode];
   $settings = $display['settings'];
-  $summary = t('The Terms will be displayed separated by "') . $settings['separator_option'] . '"';
+  $summary = t('The Terms will be displayed separated by "@separator"', array('@separator' => $settings['separator_option']));
   if ($settings['links_option']) {
     $summary .= t('<br>The terms will link to the term pages');
   }
   if ($settings['element_option']!="- None -") {
-    $summary .= "<br>Elements will be wrapped in a " . $settings['element_option'] . " tag";
+    $summary .= t('<br>Elements will be wrapped in a "@element" tag',  array('@element' => $settings['element_option']));
     if (!empty($settings['element_class'])) {
-      $summary .= " with the class of " . $settings['element_class'];
+      $summary .= t(' with the class of @elemclass', array('@elemclass' => $settings['element_class']));
     }
   }
   if ($settings['wrapper_option']!="- None -") {
-    $summary .= "<br>The entire list will be wrapped in a " . $settings['wrapper_option'] . " tag";
+    $summary .= t('<br>The entire list will be wrapped in a "@wrapper" tag', array('@wrapper' => $settings['wrapper_option']));
     if (!empty($settings['wrapper_class'])) {
-      $summary .= " with the class of " . $settings['wrapper_class'];
+      $summary .= t(' with the class of @wrapclass', array('@wrapclass' => $settings['wrapper_class']));
     }
   }
   return $summary;
@@ -122,9 +122,9 @@ function taxonomy_formatter_field_formatter_settings_summary($field, $instance,
 function taxonomy_formatter_field_formatter_view($entity_type, $entity, $field, $instance, $langcode, $items, $display) {
   $settings = $display['settings'];
   $element = array();
-  $separator = $settings['separator_option'];
+  $separator = check_plain($settings['separator_option']);
   if ($settings['element_option']!='- None -') {
-    $elementwrap[0] = '<' . $settings['element_option'] . ' class="' . $settings['element_class'] . '">';
+    $elementwrap[0] = '<' . $settings['element_option'] . ' class="' . check_plain($settings['element_class']) . '">';
     $elementwrap[1] = '</' . $settings['element_option'] . '>';
   }
   else {
@@ -132,7 +132,7 @@ function taxonomy_formatter_field_formatter_view($entity_type, $entity, $field,
     $elementwrap[1] = '';
   }
   if ($settings['wrapper_option']!='- None -') {
-    $wrapper[0] = '<' . $settings['wrapper_option'] . ' class="' . $settings['wrapper_class'] . '">';
+    $wrapper[0] = '<' . $settings['wrapper_option'] . ' class="' . check_plain($settings['wrapper_class']) . '">';
     $wrapper[1] = '</' . $settings['wrapper_option'] . '>';
   }
   else {
@@ -146,7 +146,7 @@ function taxonomy_formatter_field_formatter_view($entity_type, $entity, $field,
     $actterm = entity_load('taxonomy_term', $term);
     $uri = entity_uri('taxonomy_term', $actterm[$termid]);
     if ($settings['links_option']) {
-      $formatted .= $elementwrap[0] . '<a href=\'/' . l(check_plain($actterm[$termid]->name),$uri['path']) . $elementwrap[1] . $separator;
+      $formatted .= $elementwrap[0] . l($actterm[$termid]->name, $uri['path'], $uri['options']) . $elementwrap[1] . $separator;
     }
     else {
       $formatted .= $elementwrap[0] . check_plain($actterm[$termid]->name) . $elementwrap[1] . $separator;