GHSA-j7qv-pgf6-hvh4
GitHub Security Advisory
XSS in `*Text` options of the Datepicker widget in jquery-ui
Advisory Details
### Impact
Accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
```js
$( "#datepicker" ).datepicker( {
showButtonPanel: true,
showOn: "both",
closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
```
will call `doEvilThing` with 6 different parameters coming from all `*Text` options.
### Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML.
### Workarounds
A workaround is to not accept the value of the `*Text` options from untrusted sources.
### For more information
If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues). If you don't find an answer, open a new issue.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.