Potential fix for code scanning alert no. 59: Unsafe jQuery plugin (#1666)

kueken · github-advanced-security[bot] · web-flow · commit 20391a45bd2e · 2025-07-21T18:11:19.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/sourcefiles/modern/plugins/jquery/jquery-ui-1.12.1.js b/sourcefiles/modern/plugins/jquery/jquery-ui-1.12.1.js
@@ -8847,7 +8847,12 @@ $.extend( Datepicker.prototype, {
 		var altFormat, date, dateStr,
 			altField = this._get( inst, "altField" );
 
-		if ( altField ) { // update alternate field too
+		// Mitigation for potential XSS: only allow altField as a selector, not as HTML
+		if (
+			typeof altField === "string" &&
+			altField.length > 0 &&
+			altField.trim().charAt(0) !== "<"
+		) { // update alternate field too
 			altFormat = this._get( inst, "altFormat" ) || this._get( inst, "dateFormat" );
 			date = this._getDate( inst );
 			dateStr = this.formatDate( altFormat, date, this._getFormatConfig( inst ) );
