VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 26, 2021· Updated Feb 13, 2025

XSS in `*Text` options of the Datepicker widget

CVE-2021-41183

Description

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

jQuery UI prior to 1.13.0 allows XSS via specially crafted *Text options in the Datepicker widget when values come from untrusted sources.

Vulnerability

jQuery UI versions prior to 1.13.0 contain a cross-site scripting (XSS) vulnerability in the Datepicker widget. The closeText, currentText, prevText, nextText, buttonText, and appendText options accept HTML strings and render them without sanitization. When an attacker can control the value of any of these *Text options, they can inject arbitrary HTML and JavaScript. The issue is fixed in jQuery UI 1.13.0 [1][2].

Exploitation

An attacker needs to supply a malicious value for one of the vulnerable *Text options via user-controllable input (e.g., from a database field, URL parameter, or user profile setting) that is then passed directly to the Datepicker initialization. No authentication or special network position is required if the attacker can already modify the options object. The injected script executes in the context of the page when the Datepicker renders the control (e.g., when the input is focused) [3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This leads to full cross-site scripting impact: session hijacking, data theft, defacement, or redirection to malicious sites. The privilege level is the same as the affected web page [1][4].

Mitigation

The fix is included in jQuery UI version 1.13.0, released on October 26, 2021 [1][2]. Users should upgrade to this version or later. As a workaround, ensure that the values passed to any *Text option of the Datepicker widget are not accepted from untrusted sources; treat them as plain text and sanitize any HTML before assignment [1]. Drupal 7 users can apply the Drupal core security release SA-CORE-2022-002 (Drupal 7.86) which backports the fix [4].

References
  1. NVD - CVE-2021-41183
  2. jQuery UI 1.13.0 released | jQuery UI Blog
  3. #15284 (XSS Vulnerability on text options of jQuery UI datepicker) - jQuery UI
  4. Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jquery-uinpm
< 1.13.01.13.0
org.webjars.npm:jquery-uiMaven
< 1.13.01.13.0
jquery-ui-railsRubyGems
< 7.0.07.0.0
jQuery.UI.CombinedNuGet
< 1.13.01.13.0

Affected products

51

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

32

News mentions

0

No linked articles in our index yet.