diff --git a/pages/08.selections/docs.md b/pages/08.selections/docs.md
index d563450d..5f79efac 100644
--- a/pages/08.selections/docs.md
+++ b/pages/08.selections/docs.md
@@ -25,10 +25,16 @@ function formatState (state) {
   if (!state.id) {
     return state.text;
   }
+
   var baseUrl = "{{ url('user://pages/images/flags') }}";
   var $state = $(
-    '<span><img src="' + baseUrl + '/' + state.element.value.toLowerCase() + '.png" class="img-flag" /> ' + state.text + '</span>'
+    '<span><img class="img-flag" /> <span></span></span>'
   );
+
+  // Use .text() instead of HTML string concatenation to avoid script injection issues
+  $state.find("span").text(state.text);
+  $state.find("img").attr("src", baseUrl + "/" + state.element.value.toLowerCase() + ".png");
+
   return $state;
 };