Mise a jour de jQuery forms en version 4.3.0 + fix issue 464 / PR 586

prive/javascript/jquery.form.js

@@ -262,6 +262,12 @@
 				var successArguments = arguments,
 					fn = options.replaceTarget ? 'replaceWith' : 'html';
 
+				// Validate `data` through `HTML encoding` when passed `data` is passed
+				// to `html()`, as suggested in https://github.com/jquery-form/form/issues/464
+				if (fn == 'html' ) {
+					data = $.parseHTML($("<div>").text(data).html())
+				};
+
 				$(options.target)[fn](data).each(function(){
 					oldSuccess.apply(this, successArguments);
 				});
@@ -923,8 +929,11 @@
 				return (doc && doc.documentElement && doc.documentElement.nodeName !== 'parsererror') ? doc : null;
 			};
 			var parseJSON = $.parseJSON || function(s) {
-				/* jslint evil:true */
-				return window['eval']('(' + s + ')');			// eslint-disable-line dot-notation
+				// Arise an error resolvable including jquery instead of
+				// making a new function using unsanitized inputs
+
+				window.console.error('jquery.parseJSON is undefined');
+				return null;
 			};
 
 			var httpData = function(xhr, type, s) { // mostly lifted from jq1.4.4