diff --git a/src/dropkick.js b/src/dropkick.js
index 787bef18..f0989903 100644
--- a/src/dropkick.js
+++ b/src/dropkick.js
@@ -1109,7 +1109,7 @@ Dropkick.build = function( sel, idpre ) {
     ret.elem.appendChild( _.create( "div", {
       "class": "dk-selected " + ( selOpt ? selOpt.className : "" ),
       "tabindex": sel.tabindex || 0,
-      "innerHTML": selOpt ? selOpt.text : ' ',
+      "innerHTML": selOpt ? selOpt.innerHTML : ' ',
       "id": idpre + "-combobox",
       "aria-live": "assertive",
       "aria-owns": optList.id,
diff --git a/tests/dropkick-test.js b/tests/dropkick-test.js
index fbc1e06a..28086061 100644
--- a/tests/dropkick-test.js
+++ b/tests/dropkick-test.js
@@ -1,4 +1,5 @@
 import { expect } from 'chai';
+import sinon from 'sinon';
 import {
   $,
   buildSelect,
@@ -263,4 +264,17 @@ describe('Dropkick tests', function() {
       });
     });
   });
+
+  describe('security', function() {
+    it('does not construct html from option node text', function(done) {
+      window.xssCallback = sinon.fake();
+      let select = buildSelect('xss_select', ['<img src="img.gif" onload="xssCallback()" onerror="xssCallback()">']);
+      this.dk = new Dropkick(select);
+      expect(this.dk.data.elem.querySelector('img')).to.equal(null);
+      setTimeout(function() {
+        expect(window.xssCallback).not.to.have.been.called;
+        done();
+      }, 10);
+    });
+  });
 });