Impact

Accepting the value of thealtField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$("#datepicker").datepicker({altField:"<img onerror='doEvilThing()' src='/404' />",});

will call thedoEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to thealtField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of thealtField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue inthe jQuery UI repo. If you don't find an answer, open a new issue.