return content;
// we have to do the escaping here, because we will ultimately
// write this as a raw string, so as not to escape the tags.
- return "<a href='#LyXCite-" + key + "'>" +
+ return "<a href='#LyXCite-" + html::cleanAttr(key) + "'>" +
html::htmlize(content, XHTMLStream::ESCAPE_ALL) + "</a>";
}