We have the same code regarding escaping descriptions also here: https://github.com/joomla/joomla-cms/blob/4.1-dev/administrator/components/com_modules/tmpl/select/default.php#L64 .

It would work in both cases if we take off the escape, i.e.

<?php $desc = HTMLHelper::_('string.truncate', strip_tags($item->desc), 200); ?>

Any reason for these strings to be escaped?

Any reason for these strings to be escaped?

Security?

what about using this then

<?php $desc = HTMLHelper::_('string.truncate', html_entity_decode(strip_tags($item->desc), ENT_SUBSTITUTE, 'UTF-8'), 200); ?>

Add a unbreakable space   or   to the PLG_TASK_DEMO_TASKS_STRESS_MEMORY_DESC string value in administrator/languages/plg_task_demotasks.ini

Why would you do that? Useful?

The issue is that the & is escaped & and not because it is a non-breaking space.

This module displays a username and password login form. It also displays a link to retrieve a forgotten password. If user registration is enabled (in Users → Manage → Options),..

Why would you do that? Useful?

In French some punctuation marks need to be preceded by non-breaking space to prevent that punctuation mark to jump alone into the next line, this whether in print or html.
Such as  ?  ;  :  ! « »

Note: I don't see the security reason forcing to escape in these descriptions. After all we are not escaping the extensions description and html entities work fine there.

Looking at similar uses of string.truncate and/or displaying extension descriptions I dont see them using strip_tags or escape

It is only in administrator/components/com_modules/tmpl/select/default.php and its derivative administrator/components/com_scheduler/tmpl/select/default.php that we see this.

@joomla/security any objection to killing the escape and strip tatgs here