RubySec

Providing security resources for the Ruby community

CVE-2021-41183 (jquery-ui-rails): XSS in `*Text` options of the Datepicker widget in jquery-ui

ADVISORIES

GEM

jquery-ui-rails

SEVERITY

CVSS v3.x: 6.5 (Medium)

CVSS v2.0: 4.3 (Medium)

PATCHED VERSIONS

  • >= 7.0.0

DESCRIPTION

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$("#datepicker").datepicker( {
  showButtonPanel: true,
  showOn: "both",
  closeText: "<script>doEvilThing('closeText XSS')</script>",
  currentText: "<script>doEvilThing('currentText XSS')</script>",
  prevText: "<script>doEvilThing('prevText XSS')</script>",
  nextText: "<script>doEvilThing('nextText XSS')</script>",
  buttonText: "<script>doEvilThing('buttonText XSS')</script>",
  appendText: "<script>doEvilThing('appendText XSS')</script>",
  }
);

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

RELATED