Fix WPForms CRM select output escaping

[davidperezgar]

Fixes improper HTML escaping in the WPForms CRM selector dropdown. The wp_kses_post() function was being used to escape already-escaped <option> HTML, which was stripping valid value attributes and causing the select to render incorrectly.

Changes

• Escape <option> value attribute with esc_attr() instead of leaving it unescaped
• Escape <option> label text with esc_html() instead of leaving it unescaped
• Replace wp_kses_post() on the final printf() output (which was incorrectly stripping properly-built HTML) with a direct output + phpcs:ignore comment, since individual values are already escaped at construction time

Benefits

• The CRM type selector in WPForms now renders correctly with all options visible
• Output follows WordPress security best practices: each piece of data is escaped at the point of output with the correct escaping function
• No false positives from wp_kses_post() stripping valid attribute content

Testing Instructions

1. Install and activate WPForms and FormsCRM
2. Go to WPForms → All Forms and edit any form
3. Navigate to the Marketing tab in the form builder
4. Click Add New Connection for FormsCRM
5. Verify the CRM Type dropdown renders all available CRM options correctly
6. Select a CRM option and confirm the value is saved properly

Checklist

• Code follows WordPress Coding Standards
• Self-reviewed the code
• Added necessary comments (phpcs:ignore with justification)
• No new linter errors