XSS in the `altField` option of the Datepicker widget in jquery-ui

Impact

Accepting the value of the altField option of the Datepicker
widget from untrusted sources may execute untrusted code. For
example, initializing the datepicker in the following way:

$("#datepicker").datepicker( {
  altField: "<img src="/404">",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to
the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option
from untrusted sources.

For more information

If you have any questions or comments about this advisory, search
for a relevant issue in
the jQuery UI repo.
If you don’t find an answer, open a new issue."