diff -u b/modules/image/image.module b/modules/image/image.module
--- b/modules/image/image.module
+++ b/modules/image/image.module
@@ -777,7 +777,15 @@
     $options[''] = t('<none>');
   }
   foreach ($styles as $name => $style) {
-    $options[$name] = $style['label'];
+    // If the output of this function is being used to construct checkbox or
+    // radio options (for example) rather than select list options, it must be
+    // filtered for security reasons. Normally that is the responsibility of
+    // the calling code, but since this function switched from returning
+    // machine names to human-readable names after Drupal 7 was released, and
+    // since the machine names did not require sanitization, we filter the
+    // label here for backwards compatibility, using filter_xss_admin(). This
+    // filtering will be removed in Drupal 8.
+    $options[$name] = filter_xss_admin($style['label']);
   }
 
   if (empty($options)) {