Skip to content

XSS in the `of` option of the `.position()` util

Moderate
mgol published GHSA-gpqq-952q-5327 Oct 25, 2021

Package

npm jquery-ui (npm)

Affected versions

<1.13.0

Patched versions

1.13.0

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Severity

Moderate

CVE ID

CVE-2021-41184

Weaknesses

No CWEs

Credits