CVE-2022-31160 : jQuery UI checkboxradio cross site scripting (21st July 2022)

Preface: jQuery is an independent JavaScript library which brings along added functions and additional functionality to the standard built-in objects to what JavaScript natively provides. The programming crowd with jQuery still looks strong. According to w3techs stats. Popular sites are still using jQuery.

Background: jQuery is the core library. jQueryUI is built on top of it. If you use jQueryUI, you must also include jQuery. The plugins and utilities in jQuery UI are divided into four categories—widgets, interactions, effects, and utilities.

The plugins and utilities in jQuery UI are divided into four categories: widgets, interactions, effects, and utilities

jQuery UI is made up of different CSS and JavaScript files. In addition, some files are compressed, while others are not.

  • Uncompressed files are located in the development-bundle directory, under the jQuery UI installation directory (jqueryui).
  • The ui directory (located under development-bundle) contains the JavaScript files. The jquery[.]ui[.]core[.]js file includes the basic features (mandatory), while other files will be included only if required.
  • The themes directory (located under development-bundle) contains the CSS files. It consists of various directories, each containing themes (e.g., the base, smoothness, and ui-lightness directories). Each theme includes an images directory and other CSS files.

Vulnerability details: jQuery UI versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded.

Solution: The bug has been patched in jQuery UI 1.13.2.

Workaround: To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Official announcement: Please refer to the link –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.