I know what I just described is a reflected XSS vulnerability. What I can't figure out is why it is a vulnerability. Because the way I see it, a user can't be directed to the attacker's content because the AJAX is executed without a page refresh or a URL change. What am I missing here?
-- EDIT --
To edit the question and provide a little more context, I'm trying to figure out how echoing un-sanitized data from AJAX into the page would be a bad thing. Because here is how I see XSS vulnerabilities:
JavaScript from an uncontrolled source (ie attacker) is allowed to insert JavaScript into the page.
The user is navigated to the said page with the evil JavaScript embedded in the page.
Exploit happens (cookies are stolen, user logins over an attacker made login screen, etc...)
I can't see how this is a problem with AJAX. Because the request is made in the page and you (as the attacker) can't direct a user to a page where part of the content was loaded with AJAX.
Or, in other words, you can't perform a search query on a search engine that uses AJAX to query a remote endpoint and display the results on the page, then direct a user to that page with those results shown. The results would disappear.
What am I missing here?