Is this HTML being returned by an outside source, or is it something that you can edit?

I'm pretty sure that the part inside of the value='' tags should be escaped by using HTML entities like this:

value='[<a href="#fen-NIV-26127a" title="See footnote a">a</a>]'