Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options

An authenticated administrator with `allowAdminChanges` enabled can inject arbitrary JavaScript into settings names or field option labels (e.g., section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels) [ref_id=3]. The payload is stored and later rendered without sanitization in control-panel pages such as field source checklists, user permission pages, user profile pages, and card attribute checklists [ref_id=3]. When another administrator visits the affected page, the injected script executes in their browser session, enabling actions such as session hijacking or further administrative actions [CWE-79].

The vulnerability spans multiple Twig templates and JavaScript UI helpers. The primary sink is `templates/_includes/forms/checkbox.twig` and `templates/_includes/forms/radio.twig`, which rendered the `label` variable with `{{ label|raw }}` without escaping [ref_id=1][ref_id=2]. Additional sinks include `Craft.ui.createSelect()`, `Craft.ui.createCheckbox()`, and `Craft.GeneratedFieldsTable.Row`, which used `.html()` or `html:` to set option/label content from user-supplied names [ref_id=1][ref_id=2]. The patch also escapes labels in `previewPlaceholderHtml()` via `Html::encode()` [ref_id=1].

The patches remove the unsafe `|raw` filter from `checkbox.twig` and `radio.twig`, causing Twig's auto-escaping to encode the label [ref_id=1][ref_id=2]. In JavaScript, `Craft.ui.createSelect()` and `Craft.ui.createCheckbox()` now use `.text()` instead of `.html()` for the `label` property, and a new `labelHtml` property is introduced for cases where raw HTML is intentionally needed [ref_id=1][ref_id=2]. The `previewPlaceholderHtml()` method now calls `Html::encode()` on each label before rendering [ref_id=1]. These changes ensure that attacker-supplied names and labels are HTML-escaped by default, preventing script injection.