Accepting the value of the of
option of the .position()
util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
my: "left top",
at: "right bottom",
of: "<img onerror='doEvilThing()' src='/404' />",
collision: "none"
} );
will call the doEvilThing()
function.
The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of
option is now treated as a CSS selector.
A workaround is to not accept the value of the of
option from untrusted sources.
If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.
{ "nvd_published_at": "2021-10-26T15:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-10-25T22:06:43Z" }