Impact
Accepting the value of the altField
option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing
function.
Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField
option is now treated as a CSS selector.
Workarounds
A workaround is to not accept the value of the altField
option from untrusted sources.
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
Impact
Accepting the value of the
altField
option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:will call the
doEvilThing
function.Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the
altField
option is now treated as a CSS selector.Workarounds
A workaround is to not accept the value of the
altField
option from untrusted sources.For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.