the plugin does not filter text from source selects: for option with text like: "abc "><script>alert('hack')</script> def "><script>alert('hack!')</script> "
it will execute the script inside (on init and options change).