From 97f3d5ea3b9b1712b13cc8a5bec86702309d91f9 Mon Sep 17 00:00:00 2001
From: Cerdic <cedric@yterium.com>
Date: Mon, 17 Jan 2022 09:45:42 +0100
Subject: [PATCH] Mise a jour de jQuery forms en version 4.3.0 + fix issue 464
 / PR 586

---
 prive/javascript/jquery.form.js | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/prive/javascript/jquery.form.js b/prive/javascript/jquery.form.js
index 168d4b8b69..02b74e7089 100644
--- a/prive/javascript/jquery.form.js
+++ b/prive/javascript/jquery.form.js
@@ -262,6 +262,12 @@
 				var successArguments = arguments,
 					fn = options.replaceTarget ? 'replaceWith' : 'html';
 
+				// Validate `data` through `HTML encoding` when passed `data` is passed
+				// to `html()`, as suggested in https://github.com/jquery-form/form/issues/464
+				if (fn == 'html' ) {
+					data = $.parseHTML($("<div>").text(data).html())
+				};
+
 				$(options.target)[fn](data).each(function(){
 					oldSuccess.apply(this, successArguments);
 				});
@@ -923,8 +929,11 @@
 				return (doc && doc.documentElement && doc.documentElement.nodeName !== 'parsererror') ? doc : null;
 			};
 			var parseJSON = $.parseJSON || function(s) {
-				/* jslint evil:true */
-				return window['eval']('(' + s + ')');			// eslint-disable-line dot-notation
+				// Arise an error resolvable including jquery instead of
+				// making a new function using unsanitized inputs
+
+				window.console.error('jquery.parseJSON is undefined');
+				return null;
 			};
 
 			var httpData = function(xhr, type, s) { // mostly lifted from jq1.4.4
-- 
GitLab