devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
The default formatGroup and formatResult functions in devbridge-autocomplete concatenate values into HTML without escaping, allowing XSS when an attacker controls (or can taint) the suggestion data source.