AUI dropdowns that get their content from a service via AJAX will HTML escape the content in items in the dropdown but they do NOT HTML escape the section labels in the dropdown.
See the docs for async dropdowns at Dropdowns - AUI Documentation
If no change is made to AUI to address the inconsistency then the AUI documents should probably point it out. Make it clear that we are expected to HTML escape the section labels but not the item content.
Alternatively, change AUI async dropdowns so that they escape the value for the section labels.
Here is a sample JSON response that can be used to show the problem. Notice how both the section label and the item content are XSS payloads. AUI does not escape the label when it is used but it does escape the item content:
[{“type”:“section”,
“label”:“"><img src=x onerror=alert(‘helloFromSectionLabel’)>”,
“items”:[{“type”:“link”,“href”:“#card-5611”,
“content”:""><img src=x onerror=alert(‘helloFromItemContent’)> "}]}]
I am making changes in my code to escape the label value myself.
Thanks.