XSS in `*Text` options of the Datepicker widget in jquery-ui

Impact

Accepting the value of various *Text options of the Datepicker
widget from untrusted sources may execute untrusted code. For example, initializing
the datepicker in the following way:

$("#datepicker").datepicker( {
  showButtonPanel: true,
  showOn: "both",
  closeText: "<script>doEvilThing('closeText XSS')</script>",
  currentText: "<script>doEvilThing('currentText XSS')</script>",
  prevText: "<script>doEvilThing('prevText XSS')</script>",
  nextText: "<script>doEvilThing('nextText XSS')</script>",
  buttonText: "<script>doEvilThing('buttonText XSS')</script>",
  appendText: "<script>doEvilThing('appendText XSS')</script>",
  }
);

will call doEvilThing with 6 different parameters coming from
all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various
*Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from
untrusted sources.

For more information

If you have any questions or comments about this advisory, search
for a relevant issue in
the jQuery UI repo.
If you don’t find an answer, open a new issue.