", }...">
Accepting the value of the altField
option of the Datepicker
widget from untrusted sources may execute untrusted code. For
example, initializing the datepicker in the following way:
$("#datepicker").datepicker( {
altField: "<img src="/404">",
} );
will call the doEvilThing
function.
The issue is fixed in jQuery UI 1.13.0. Any string value passed to
the altField
option is now treated as a CSS selector.
A workaround is to not accept the value of the altField
option
from untrusted sources.
If you have any questions or comments about this advisory, search
for a relevant issue in
the jQuery UI repo.
If you donβt find an answer, open a new issue."
CPE | Name | Operator | Version |
---|---|---|---|
jquery-ui-rails | lt | 7.0.0 |