Restore htmlspecialchars() on the editToken value before outputting to HTML.
While at the moment the editToken() value is safe for literal inclusion is HTML output, it's a black-box value to the rest of the code and such safety is not guaranteed. Escaping text values being placed in HTML/XML attributes or text elements is a regular part of the output process and it's a bad habit to leave it out on text values that are produced elsewhere; they can and do change (such as all those localized messages which are now user-editable...)