Issue #1919338 by catch, swentel, bblake, EllaTheHarpy, Cottser: Select widget (from the options module) prone to double encoding.

core/modules/options/lib/Drupal/options/Plugin/Field/FieldWidget/SelectWidget.php

@@ -48,7 +48,7 @@ class SelectWidget extends OptionsWidgetBase {
    */
   static protected function sanitizeLabel(&$label) {
     // Select form inputs allow unencoded HTML entities, but no HTML tags.
-    $label = strip_tags($label);
+    $label = decode_entities(strip_tags($label));
   }
 
   /**

core/modules/options/lib/Drupal/options/Tests/OptionsWidgetsTest.php

@@ -69,7 +69,7 @@ class OptionsWidgetsTest extends FieldTestBase {
       'cardinality' => 1,
       'settings' => array(
         // Make sure that 0 works as an option.
-        'allowed_values' => array(0 => 'Zero', 1 => 'One', 2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>'),
+        'allowed_values' => array(0 => 'Zero', 1 => 'One', 2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>', 3 => 'Some HTML encoded markup with &lt; &amp; &gt;'),
       ),
     ));
     $this->card_1->save();
@@ -135,6 +135,7 @@ class OptionsWidgetsTest extends FieldTestBase {
     $this->assertNoFieldChecked('edit-card-1-1');
     $this->assertNoFieldChecked('edit-card-1-2');
     $this->assertRaw('Some dangerous &amp; unescaped <strong>markup</strong>', 'Option text was properly filtered.');
+    $this->assertRaw('Some HTML encoded markup with &lt; &amp; &gt;');
 
     // Select first option.
     $edit = array('card_1' => 0);