264223
Looking into the route, the title takes before being in the message, I don't find anything being done about apostrophes.
The title is taken directly from the news subject without any sanitation and put in the extra tags array.
in XoopsNotificationHandler::trigger_event() nothing is done to the extra tags
in XoopsNotification::notifyUser, the tags are run through a preg_replace("/&/i", '&', $v) if the notification is sent by email
in XoopsMailer::send, the tags are run through a simple preg_replace to get the value in the place of the placeholders in the mail template - again without sanitation.
I am not an expert, so I cannot say if there should be a sanitation - and if so, then which action should be taken.