jquery-ui-rails 5.0.1
jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
medium severity CVE-2022-31160>= 7.0.0
Impact
Initializing a checkboxradio widget on an input enclosed within a label makes
that parent label contents considered as the input label. If you call
.checkboxradio( "refresh" )
on such a widget and the initial HTML contained
encoded HTML entities, they will erroneously get decoded. This can lead to
potentially executing JavaScript code.
For example, starting with the following initial secure HTML:
<label>
<input id="test-input">
<img src=x onerror="alert(1)">
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
<!-- some jQuery UI elements -->
<input id="test-input">
<img src=x onerror="alert(1)">
</label>
and the alert will get executed.
Patches
The bug has been patched in jQuery UI 1.13.2.
Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all
the non-input contents of the label
in a span
:
<label>
<input id="test-input">
<span><img src=x onerror="alert(1)"></span>
</label>
References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
XSS in the of
option of the .position()
util in jquery-ui
>= 7.0.0
Impact
Accepting the value of the of
option of the
.position()
util from untrusted sources may execute untrusted code. For example, invoking the
following code:
$("#element").position( {
my: "left top", at: "right bottom",
of: "<img onerror='doEvilThing()' src='/404' />",
collision: "none"
});
will call the doEvilThing()
function.
Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to
the of
option is now treated as a CSS selector.
Workarounds
A workaround is to not accept the value of the of
option from
untrusted sources.
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo.
If you don't find an answer, open a new issue."
XSS in *Text
options of the Datepicker widget in jquery-ui
>= 7.0.0
Impact
Accepting the value of various *Text
options of the Datepicker
widget from untrusted sources may execute untrusted code. For example, initializing
the datepicker in the following way:
$("#datepicker").datepicker( {
showButtonPanel: true,
showOn: "both",
closeText: "<script>doEvilThing('closeText XSS')</script>",
currentText: "<script>doEvilThing('currentText XSS')</script>",
prevText: "<script>doEvilThing('prevText XSS')</script>",
nextText: "<script>doEvilThing('nextText XSS')</script>",
buttonText: "<script>doEvilThing('buttonText XSS')</script>",
appendText: "<script>doEvilThing('appendText XSS')</script>",
}
);
will call doEvilThing
with 6 different parameters coming from
all *Text
options.
Patches
The issue is fixed in jQuery UI 1.13.0. The values passed to various
*Text
options are now always treated as pure text, not HTML.
Workarounds
A workaround is to not accept the value of the *Text
options from
untrusted sources.
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
XSS in the altField
option of the Datepicker widget in jquery-ui
>= 7.0.0
Impact
Accepting the value of the altField
option of the Datepicker
widget from untrusted sources may execute untrusted code. For
example, initializing the datepicker in the following way:
$("#datepicker").datepicker( {
altField: "<img onerror='doEvilThing()' src='/404' >",
} );
will call the doEvilThing
function.
Patches
The issue is fixed in jQuery UI 1.13.0. Any string value passed to
the altField
option is now treated as a CSS selector.
Workarounds
A workaround is to not accept the value of the altField
option
from untrusted sources.
For more information
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue."
XSS Vulnerability on closeText option of Dialog jQuery UI
medium severity CVE-2016-7103>= 6.0.0
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.