Try having the text of an option element as something like <script>alert(11)</script> (<script>alert(11)</script> escaped). When you take $optionText with text() you get the unescaped content. When you set it later on the span.sod_option using html() you're basically undoing the escaping. This fixes it by keeping the escaped content.
Try having the text of an option element as something like
<script>alert(11)</script>(<script>alert(11)</script>escaped). When you take $optionText with text() you get the unescaped content. When you set it later on the span.sod_option using html() you're basically undoing the escaping. This fixes it by keeping the escaped content.