diff --git a/core/includes/form.inc b/core/includes/form.inc
index acb81e866106a93e133b6929fe19e9a290f07eb8..649a8a1ae1299acefac43994c9bf9dbc08a022e4 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -888,7 +888,7 @@ function form_select_options($element, $choices = NULL) {
   $options = '';
   foreach ($choices as $key => $choice) {
     if (is_array($choice)) {
-      $options .= '<optgroup label="' . $key . '">';
+      $options .= '<optgroup label="' . String::checkPlain($key) . '">';
       $options .= form_select_options($element, $choice);
       $options .= '</optgroup>';
     }
diff --git a/core/modules/options/src/Tests/OptionsWidgetsTest.php b/core/modules/options/src/Tests/OptionsWidgetsTest.php
index d124840ce597fe37127fb0eb51759b9eb626683c..4f809fcaa9fad414a67db2c2c677f440252fc7be 100644
--- a/core/modules/options/src/Tests/OptionsWidgetsTest.php
+++ b/core/modules/options/src/Tests/OptionsWidgetsTest.php
@@ -317,6 +317,7 @@ function testSelectListSingle() {
     $this->assertNoOptionSelected('edit-card-1', 1);
     $this->assertNoOptionSelected('edit-card-1', 2);
     $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
     $this->assertRaw('Group 1', 'Option groups are displayed.');
 
     // Submit form: select first option.
@@ -437,6 +438,7 @@ function testSelectListMultiple() {
     $this->assertNoOptionSelected('edit-card-2', 1);
     $this->assertNoOptionSelected('edit-card-2', 2);
     $this->assertRaw('Some dangerous &amp; unescaped markup', 'Option text was properly filtered.');
+    $this->assertRaw('More &lt;script&gt;dangerous&lt;/script&gt; markup', 'Option group text was properly filtered.');
     $this->assertRaw('Group 1', 'Option groups are displayed.');
 
     // Submit form: select first option.
diff --git a/core/modules/options/tests/options_test.module b/core/modules/options/tests/options_test.module
index 1416fa0e6ca9dcd54ef3698132441c1e86bbc91e..bfd4315d48ba65797f629291accf55d1b0be7335 100644
--- a/core/modules/options/tests/options_test.module
+++ b/core/modules/options/tests/options_test.module
@@ -20,6 +20,9 @@ function options_test_allowed_values_callback(FieldDefinitionInterface $field_de
     'Group 2' => array(
       2 => 'Some <script>dangerous</script> & unescaped <strong>markup</strong>',
     ),
+    'More <script>dangerous</script> markup' => array(
+      3 => 'Three',
+    ),
   );
 
   return $values;