...
For views producing html output to a browser, all user supplied content must be filteredescaped. In most cases filter_var with FILTER_SANITIZE_SPECIAL_CHARS is appropriate:
...
Note that Cake's link() function ($this->Html->link()) will escape title and attributes unless escaping is explicitly set to false. To avoid double-encoding strings, allow Cake to manage escaping when using link(). For more information about link(), visit Cake's HTML Helper documentation (version 2 / version 3).
The Strings passed to the addCrumb() function should escape strings passed through it be escaped when no arguments accompany the string. When arguments are passed, Cake will generate a link() and escape the string, so do not filter a string passed in this case or you will double-escape it. When no arguments are passed, the string will be echoed to the output and must be filtered using filter_var.
...