We are not currently using the jQuery Date Picker items because of the accessibility bug documented in the APEX 4.2 Release Notes:
<blockquote>The modern inline date pickers are not usable with screen readers or magnification due to focus not being set correctly. The data table is also missing a caption or summary text to describe the data in the table. Workaround for Custom Applications: Use the 'Classic Datepicker' which is coded to the standards. Workaround for Development Environment: Enter the date manually into the date input field. This issue is tracked with Oracle bug 9740473.</blockquote>
So we have been using Date Picker (Classic). However, now a customer has had a penetration test performed by a third party and they have said that Date Picker (Classic) has an XSS vulnerability. The issue is that the URL for the date picker is exposed e.g.