XSS in the `of` option of the `.position()` util in jquery-ui

Impact

Accepting the value of the of option of the
.position()
util from untrusted sources may execute untrusted code. For example, invoking the
following code:

$("#element").position( {
  my: "left top", at: "right bottom",
  of: "<img src="/404" />",
  collision: "none"
});

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to
the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from
untrusted sources.

For more information

If you have any questions or comments about this advisory, search
for a relevant issue in
the jQuery UI repo.

If you don’t find an answer, open a new issue."