Checkbox/Radio // no escaping for choice labels. It can be possible that those labels actually have HTML in text.

Christian Leucht · Christian Leucht · commit f7d7061ea655 · 2023-07-03T10:03:21.000+02:00
diff --git a/src/View/Checkbox.php b/src/View/Checkbox.php
@@ -57,7 +57,7 @@ public function render(ElementInterface $element): string
             $label = sprintf(
                 '<label for="%s">%s</label>',
                 $this->escapeAttribute($elementAttr['id']),
-                $this->escapeHtml($choice['label'])
+                $choice['label']
             );
 
             $html[] = sprintf(
diff --git a/src/View/Radio.php b/src/View/Radio.php
@@ -44,7 +44,7 @@ public function render(ElementInterface $element): string
             $label = sprintf(
                 '<label for="%s">%s</label>',
                 $this->escapeAttribute($elementAttr['id']),
-                $this->escapeHtml($choice['label'])
+                $choice['label']
             );
 
             $html[] = sprintf(
