js/widgets/forms/select.custom.js

@@ -460,10 +460,15 @@ $.widget( "mobile.selectmenu", $.mobile.selectmenu, {
 			}
 
 			parent = option.parentNode;
-			text = $option.getEncodedText();
-			anchor  = document.createElement( "a" );
 			classes = [];
 
+			// Although using .text() here raises the risk that, when we later paste this into the
+			// list item we end up pasting possibly malicious things like <script> tags, that risk
+			// only arises if we do something like $( "<li><a href='#'>" + text + "</a></li>" ). We
+			// don't do that. We do document.createTextNode( text ) instead, which guarantees that
+			// whatever we paste in will end up as text, with characters like <, > and & escaped.
+			text = $option.text();
+			anchor = document.createElement( "a" );
 			anchor.setAttribute( "href", "#" );
 			anchor.appendChild( document.createTextNode( text ) );
 

tests/integration/select/index.html

@@ -36,6 +36,10 @@
 	<div id="qunit"></div>
 
 	<div id="default" data-nstest-role="page" data-nstest-theme="c">
+		<select id="encoding-test" data-nstest-native-menu="false">
+			<option value="1">&lt;script&gt;$( "*" ).css( "background-color", "red" );&lt;/script&gt;</option>
+			<option value="2">Another option</option>
+		</select>
 		<select name="small-select-change-after-close" id="small-select-change-after-close" data-nstest-native-menu="false">
 			<option value="1">One</option>
 			<option value="2">Two</option>

tests/integration/select/select_core.js

@@ -19,6 +19,11 @@
 
 	var homeWithSearch = $.mobile.path.parseUrl(location.pathname).pathname + location.search;
 
+	test( "No tags are accidentally injected during list building", function() {
+		deepEqual( $( "#encoding-test-menu > li:first-child > a > script" ).length, 0,
+			"No script tag has ended up inside the anchor" );
+	});
+
 	module(libName, {
 		setup: function() {
 			$.mobile.navigate.history.stack = [];