When the value of the Category Name is used as the anchor title (i.e. tooltip) for sub-category links, it is not made safe for special html characters. Line 975
$html .= "<a style=\"display:block;\" class=\"sublevel\" title=\"".$db->f("category_name")."\" href=\"";
should be replaced by
$html .= "<a style=\"display:block;\" class=\"sublevel\" title=\"".shopMakeHtmlSafe($db->f("category_name"))."\" href=\"";
Tested on VM 1.1 nightly from 18/7/2008 on J1.5 (1.5.3)
regards
Phil