New feature motivation

The validation messages should be html escaped in showLabel function

New feature description

There is a script injection risk if the messages set via $.validator.messages etc. are originating from a user localizable dictionary, like a translation screen as the showLabel function uses .html() to set the label content. Even in cases where that is not an issue, if the message itself contains a format placeholder like "{0} is not valid value for this field", as the value passed to {0} is a user input, it still provides an opportunity for script injection attacks albeit at a lower risk.

New feature implementation

I'll be sending a pull request to implement this. The default will be false for backward compatibility. I don't think anyone uses HTML markup in validation messages so it should not be a problem even if the default became true, but just in case someone does.