move the logic that sets the button text into its own method so that it can be overridden, and use text() instead of html() by default to prevent XSS attacks. fixes #229

Author: ehynds

src/jquery.multiselect.js

@@ -228,11 +228,17 @@
         }
       }
 
-      this.buttonlabel.html(value);
+      this._setButtonValue(value);
 
       return value;
     },
 
+    // this exists as a separate method so that the developer 
+    // can easily override it.
+    _setButtonValue: function(value) {
+      this.buttonlabel.text(value);
+    },
+
     // binds events
     _bindEvents: function() {
       var self = this;

tests/unit/options.js

@@ -120,12 +120,13 @@
 	});
 
 	test("selectedList - encoding", function() {
+	  expect(1);
+
 		el = $('<select><option value="A&amp;E">A&amp;E</option></select>')
 			.appendTo("body")
 			.multiselect({ selectedList: 1 });
 
-		equals(button().text(), 'A&E');
-		equals(button().find("span").last().html(), 'A&amp;E');
+		equals(button().text(), 'A&amp;E');
 		el.multiselect("destroy").remove();
 	});