Impact

Accepting the value of various*Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$("#datepicker").datepicker({showButtonPanel:true,showOn:"both",closeText:"<script>doEvilThing( 'closeText XSS' )</script>",currentText:"<script>doEvilThing( 'currentText XSS' )</script>",prevText:"<script>doEvilThing( 'prevText XSS' )</script>",nextText:"<script>doEvilThing( 'nextText XSS' )</script>",buttonText:"<script>doEvilThing( 'buttonText XSS' )</script>",appendText:"<script>doEvilThing( 'appendText XSS' )</script>",});

will calldoEvilThing with 6 different parameters coming from all*Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various*Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the*Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue inthe jQuery UI repo. If you don't find an answer, open a new issue.