jquery-ui-rails 4.1.2

5 security vulnerabilities found in version 4.1.2

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label

medium severity CVE-2022-31160
medium severity CVE-2022-31160
Patched versions: >= 7.0.0

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

XSS in the of option of the .position() util in jquery-ui

medium severity CVE-2021-41184
medium severity CVE-2021-41184
Patched versions: >= 7.0.0

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$("#element").position( {
  my: "left top", at: "right bottom",
  of: "<img onerror='doEvilThing()' src='/404' />",
  collision: "none"
});

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo.

If you don't find an answer, open a new issue."

XSS in *Text options of the Datepicker widget in jquery-ui

medium severity CVE-2021-41183
medium severity CVE-2021-41183
Patched versions: >= 7.0.0

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$("#datepicker").datepicker( {
  showButtonPanel: true,
  showOn: "both",
  closeText: "<script>doEvilThing('closeText XSS')</script>",
  currentText: "<script>doEvilThing('currentText XSS')</script>",
  prevText: "<script>doEvilThing('prevText XSS')</script>",
  nextText: "<script>doEvilThing('nextText XSS')</script>",
  buttonText: "<script>doEvilThing('buttonText XSS')</script>",
  appendText: "<script>doEvilThing('appendText XSS')</script>",
  }
);

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

XSS in the altField option of the Datepicker widget in jquery-ui

medium severity CVE-2021-41182
medium severity CVE-2021-41182
Patched versions: >= 7.0.0

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$("#datepicker").datepicker( {
  altField: "<img onerror='doEvilThing()' src='/404' >",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue."

XSS Vulnerability on closeText option of Dialog jQuery UI

medium severity CVE-2016-7103
medium severity CVE-2016-7103
Patched versions: >= 6.0.0

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.