Description
At https://github.com/apache/ofbiz-framework/security/code-scanning?query=is%3AIncomplete+string+escaping+or+encoding+branch%3Atrunk+severity%3Ahigh
GH CodeQL reports 556 "Incomplete string escaping or encoding branch" issues (there are 588 issues at all).
Most of them are in jQuery-UI but not only:
Incomplete string escaping or encoding
(Library) themes/common-theme/webapp/common/js/jquery/ui/jquery-ui-1.12.1.js:17591 •
Some are reported inside jQuery itself:
Incomplete string escaping or encoding
themes/common-theme/webapp/common/js/jquery/plugins/jsTree/jquery.jstree.js:2961 •
So this only an attempt to clarify among the 23 pages reported by upgrading jQuery-UI to 1.13.0.
While working on this I crossed an issue related to element.form() that is now element._form() in jQuery-UI 1.13.0. I think it appears only in OfbizUtil.js because it's loaded after jQuery-UI.
I also tried to load jQuery-UI with npmInstall but unfortunately https://jqueryui.com/upgrade-guide/1.12/#official-package-on-npm (ie jquery-ui.js & jquery-ui-min.js)