Comment 11 for bug 1417762

The example in the bug description is just an example. In my understanding, the point is if you specify an invalid choice which contains JS code for a choice field the specified value is returned as part of an error message.

I am not sure how it has a potential risk of XSS. The case here is if an API user sends a crafted string he receives the crafted string.