fix(jquery-form): avoid XSS

Applies the suggested fix that is sitting in an unmerged PR on the
upstream repo:

jquery-form/form#586

Author: wincent

third-party/projects/jquery-form/jquery.form.js

@@ -190,6 +190,15 @@ $.fn.ajaxSubmit = function(options) {
         var oldSuccess = options.success || function(){};
         callbacks.push(function(data) {
             var fn = options.replaceTarget ? 'replaceWith' : 'html';
+
+            // Validate `data` through `HTML encoding` when passed
+            // `data` is passed to `html()`, as suggested in
+            // https://github.com/jquery-form/form/issues/464
+
+            data = options.replaceTarget
+                ? data
+                : $.parseHTML($('<div>').text(data).html());
+
             $(options.target)[fn](data).each(oldSuccess, arguments);
         });
     }
@@ -801,8 +810,12 @@ $.fn.ajaxSubmit = function(options) {
             return (doc && doc.documentElement && doc.documentElement.nodeName != 'parsererror') ? doc : null;
         };
         var parseJSON = $.parseJSON || function(s) {
-            /*jslint evil:true */
-            return window['eval']('(' + s + ')');
+            // Throw an error instead of making a new function using
+            // unsanitized inputs to avoid XSS attacks.
+
+            window.console.error('jquery.parseJSON is undefined');
+
+            return null;
         };
 
         var httpData = function( xhr, type, s ) { // mostly lifted from jq1.4.4