Every time you output a plain text string (ie anything that is not deliberately markup) into an HTML page, you need to escape it.
In plain PHP templates that is typically done with the htmlspecialchars()
function. Drupal offers check_plain()
as a short-cut, although not a very short one. You can define your own shorter cut to reduce the pain:
function h($s) {
echo htmlspecialchars($s, ENT_QUOTES, 'utf-8');
}
<a id="tocollege" target="<?php h($target); ?>" title="<?php h($link_title); ?>" href="<?php h($link); ?>">...
(I'm not sure what the use of print_r
was for—this is traditionally used for producing readable structured-object output for debugging, but that format of output isn't generally what you want in a production web page, and in your example it was only being used for strings, where it makes no difference anyway.)