From 966c33022f544ee70a2393fbd55eeb93a7c646f9 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Mon, 24 Feb 2014 09:57:30 +0000
Subject: [PATCH] Issue #1919338 by catch, swentel, bblake, EllaTheHarpy,
 Cottser: Select widget (from the options module) prone to double encoding.

---
 .../Drupal/options/Plugin/Field/FieldWidget/SelectWidget.php   | 2 +-
 .../options/lib/Drupal/options/Tests/OptionsWidgetsTest.php    | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/modules/options/lib/Drupal/options/Plugin/Field/FieldWidget/SelectWidget.php b/core/modules/options/lib/Drupal/options/Plugin/Field/FieldWidget/SelectWidget.php
index cd7f76a89c0..6d374405d5a 100644
--- a/core/modules/options/lib/Drupal/options/Plugin/Field/FieldWidget/SelectWidget.php
+++ b/core/modules/options/lib/Drupal/options/Plugin/Field/FieldWidget/SelectWidget.php
@@ -48,7 +48,7 @@ class SelectWidget extends OptionsWidgetBase {
    */
   static protected function sanitizeLabel(&$label) {
     // Select form inputs allow unencoded HTML entities, but no HTML tags.
-    $label = strip_tags($label);
+    $label = decode_entities(strip_tags($label));
   }
 
   /**
diff --git a/core/modules/options/lib/Drupal/options/Tests/OptionsWidgetsTest.php b/core/modules/options/lib/Drupal/options/Tests/OptionsWidgetsTest.php
index fd8db175a79..a24a7a9b533 100644
--- a/core/modules/options/lib/Drupal/options/Tests/OptionsWidgetsTest.php
+++ b/core/modules/options/lib/Drupal/options/Tests/OptionsWidgetsTest.php
@@ -69,7 +69,7 @@ class OptionsWidgetsTest extends FieldTestBase {
       'cardinality' => 1,
       'settings' => array(
         // Make sure that 0 works as an option.
-        'allowed_values' => array(0 => 'Zero', 1 => 'One', 2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>'),
+        'allowed_values' => array(0 => 'Zero', 1 => 'One', 2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>', 3 => 'Some HTML encoded markup with &lt; &amp; &gt;'),
       ),
     ));
     $this->card_1->save();
@@ -135,6 +135,7 @@ class OptionsWidgetsTest extends FieldTestBase {
     $this->assertNoFieldChecked('edit-card-1-1');
     $this->assertNoFieldChecked('edit-card-1-2');
     $this->assertRaw('Some dangerous &amp; unescaped <strong>markup</strong>', 'Option text was properly filtered.');
+    $this->assertRaw('Some HTML encoded markup with &lt; &amp; &gt;');
 
     // Select first option.
     $edit = array('card_1' => 0);