...
Note that Cake's link() function ($this->Html->link()) will escape title and attributes unless escaping is explicitly set to false. To avoid double-encoding strings, allow Cake to manage escaping when using link(). For more information about link(), visit Cake's HTML Helper documentation (version 2 / version 3).
The addCrumb() function should escape strings passed through it when no arguments accompany the string. When arguments are passed, Cake will generate a link() and escape the string, so do not filter a string passed in this case or you will double-escape it. When no arguments are passed, the string will be echoed to the output and must be filtered using filter_var.
PHP-isms
No Short Tags
The full PHP tag must be used.
...