[security] Drop |raw on select option text (GHSA-c2q3-p4jr-c55f)

Removed the |raw filter from all four option-text expressions in
templates/forms/fields/select/select.html.twig. Option labels — including
taxonomy values that propagate cross-page through the admin's shared
selection pool — are now autoescaped, so a lower-privileged editor can no
longer inject script that runs in an admin's browser when they open any
page editor.

Bumps to 9.0.1.

Author: rhukster

CHANGELOG.md

@@ -1,3 +1,9 @@
+# v9.0.1
+## 04/23/2026
+
+1. [](#bugfix)
+   * [security] Fixed stored XSS in select-field option text (GHSA-c2q3-p4jr-c55f). Removed the `|raw` filter from `templates/forms/fields/select/select.html.twig`; option labels — including taxonomy values that propagate cross-page through the admin's shared selection pool — are now autoescaped, so a lower-privileged editor can no longer inject script that runs in an admin's browser when they open any page editor.
+
 # v9.0.0
 ## 04/21/20265
 

blueprints.yaml

@@ -1,7 +1,7 @@
 name: Form
 slug: form
 type: plugin
-version: 9.0.0
+version: 9.0.1
 description: Enables forms handling and processing
 icon: check-square
 author:

templates/forms/fields/select/select.html.twig

@@ -34,7 +34,7 @@
                     {% endfor %}
                 {% endif %}
                 >
-            {% if field.placeholder %}<option value="" disabled selected>{{ field.placeholder|t|raw }}</option>{% endif %}
+            {% if field.placeholder %}<option value="" disabled selected>{{ field.placeholder|t }}</option>{% endif %}
 
             {% set options = field.options %}
             {% if field.selectize.create and value %}
@@ -52,7 +52,10 @@
                         {{ item_value.label    ? 'label=' ~ item_value.label : '' }}
                         value="{{ akey }}"
                     >
-                        {{ avalue|raw }}
+                        {# GHSA-c2q3-p4jr-c55f: dropped |raw — option text is now
+                           autoescaped so taxonomy/option values supplied by
+                           lower-privileged editors can no longer inject script. #}
+                        {{ avalue }}
                     </option>
                 {% elseif item_value is iterable %}
                     {% set optgroup_label = item_value|keys|first %}
@@ -62,14 +65,14 @@
                           {% set item_value = (field.selectize and field.multiple ? suboption : subkey)|string %}
                           {% set selected = (field.selectize ? suboption : subkey)|string %}
                           <option {% if subkey is same as (value) or (field.multiple and selected in value) %}selected="selected"{% endif %} value="{{ subkey }}">
-                            {{ suboption|t|raw }}
+                            {{ suboption|t }}
                           </option>
                       {% endfor %}
                     </optgroup>
                 {% else %}
                     {% set val = (field.selectize and field.multiple ? item_value : key)|string %}
                     {% set selected = (field.selectize ? item_value : key)|string %}
-                    <option {% if val is same as (value) or (field.multiple and selected in value) %}selected="selected"{% endif %} value="{{ val }}">{{ item_value|t|raw }}</option>
+                    <option {% if val is same as (value) or (field.multiple and selected in value) %}selected="selected"{% endif %} value="{{ val }}">{{ item_value|t }}</option>
                 {% endif %}
             {% endfor %}