<telerik:RadComboBox runat="server" ID="CB" AllowCustomText="true" HighlightTemplatedItems="true" EnableViewState="false" CheckBoxes="true" EnableLoadOnDemand="true" OnItemsRequested="CB_ItemsRequested" ></telerik:RadComboBox>

Specifically, note that CheckBoxes is true.

In some cases, the combo box's  item's text may have HTML tags in them, but we don't want that HTML to be interpreted, and we're happy that RadComboBox automatically encodes the Item's name.  For example, the Item's text might be <img src=xxx onerror=alert(0)> , and of course we don't want that javascript to run. 

However, we have found a case where the text is not properly escaped, in which case the javascript does run and the alert popup shows.  The error is in RadComboBox.CheckBoxes.js, in the _checkedItemsTextsFitInputWidth function.  That function is passed the comma separated string of all the selected item's text.  This function wants to measure the width of the string, and so it creates a div off-screen, and then pushes the checkedItemTexts string into the div.  If the checkedItemTexts string contains any HTML tags that contain javascript, then that javascript is executed, which can be a XSS attack.