Skip to main content

Search and Top Navigation

#14731 closed bug (worksforme)

Opened October 18, 2015 07:24AM UTC

Closed October 18, 2015 09:26AM UTC

XSS Vulnerability on _attachDatepicker function

Reported by: phatly27 Owned by:
Priority: minor Milestone: none
Component: ui.datepicker Version: 1.9.2
Keywords: Cc:
Blocked by: Blocking:


A potential bug enables us to inject the XSS content into attribute (with format "date: [PROPERTY_IN_DEFAULTS_DATEPICKER]") in any HTML element using _attachDatepicker function of component ui datepicker. This function used the eval syntax to evaluate the javascript code dynamically.


Any site using the older versions from version 1.9.2 back to lowest version.


1. Create a new HTML page.

2. Inject this content into new page.

<!DOCTYPE html>

<html xmlns="">
    <script src=""></script>
    <script src=""></script>
        $(document).ready(function () {
                buttonText: 'abcde'
    <div id="abc" date:buttonText="alert('XSS')">
        <input name="datepicker" id="datepicker" type="text"/>

3. A alert popup was shown.

4. Completed.


we expect that the alert popup shouldn't be displayed and eval syntax should be removed instead. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.

Please see details at here

Attachments (0)
Change History (1)

Changed October 18, 2015 09:26AM UTC by scottgonzalez comment:1

resolution: → worksforme
status: newclosed

None of these versions are supported any more. Any site using such an old version isn't going to be any safer even if we released a new 1.9.x, which we won't. I'm closing as works for me since it has already been fixed for a long time.