Impact

Accepting the value of theof option of the.position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$("#element").position({my:"left top",at:"right bottom",of:"<img onerror='doEvilThing()' src='/404' />",collision:"none"});

will call thedoEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to theof option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of theof option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue inthe jQuery UI repo. If you don't find an answer, open a new issue.