Skip to content

XSS in the `altField` option of the Datepicker widget

Moderate
mgol published GHSA-9gj3-hwp5-pmwc Oct 25, 2021

Package

npm jquery-ui (npm)

Affected versions

<1.13.0

Patched versions

1.13.0

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Severity

Moderate

CVE ID

CVE-2021-41182

Weaknesses

No CWEs

Credits