Skip to main content

Search and Top Navigation

#15284 closed bug (fixed)

Opened March 23, 2018 03:11PM UTC

Closed May 25, 2021 08:58AM UTC

XSS Vulnerability on text options of jQuery UI datepicker

Reported by: andycyork Owned by:
Priority: minor Milestone: none
Component: ui.datepicker Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

similar to but applies to the datepicker\\\\

**to recreate**\\\\

Create a new HTML page.\\\\

Inject this content into new page:\\\\

<!DOCTYPE html>
<html xmlns="">
  <title>XSS in  options of datepicker</title>

  <script src=""></script>
  <script src=""></script>
  <link rel="stylesheet" type="text/css" href="">
		$(document).ready(function () {
			$( "#datepicker" ).datepicker({
				showButtonPanel: true,
				showOn: "both",
				closeText: '<script>alert("closeText XSS")<\\/script>', 
				currentText: '<script>alert("currentText XSS")<\\/script>',
				prevText: '<script>alert("prevText XSS")<\\/script>',	
				nextText: '<script>alert("nextText XSS")<\\/script>',
				buttonText: '<script>alert("buttonText XSS")<\\/script>',
				appendText: '<script>alert("appendText XSS")<\\/script>'
	<p>Date: <input type="text" id="datepicker"></p>


on load, alerts are shown for appendText & buttonText\\\\

after clicking the input control, alerts are shown for closeText, currentText, prevText & nextText\\\\


The scripted alerts should not be shown - an attacker can take advantage of injecting malicious XSS content into website.

Attachments (0)
Change History (1)

Changed May 25, 2021 08:58AM UTC by fnagel comment:1

resolution: → fixed
status: newclosed