From bd29b9ff5d74ac93c0e6778f52c1ad30965d0dcc Mon Sep 17 00:00:00 2001
From: Michele Romano <33063403+Mik317@users.noreply.github.com>
Date: Fri, 31 Jul 2020 01:16:13 +0200
Subject: [PATCH] [FIX] XSS validating context and encoding HTML

---
 src/jquery.form.js | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/jquery.form.js b/src/jquery.form.js
index 168d4b8b..72cc4945 100644
--- a/src/jquery.form.js
+++ b/src/jquery.form.js
@@ -262,6 +262,10 @@
 				var successArguments = arguments,
 					fn = options.replaceTarget ? 'replaceWith' : 'html';
 
+					// Validate `data` through `HTML encoding` when passed `data` is passed 
+					// to `html()`, as suggested in https://github.com/jquery-form/form/issues/464
+					fn == 'html' ? data = $.parseHTML($("<div>").text(data).html()) : '';
+
 				$(options.target)[fn](data).each(function(){
 					oldSuccess.apply(this, successArguments);
 				});
@@ -923,8 +927,12 @@
 				return (doc && doc.documentElement && doc.documentElement.nodeName !== 'parsererror') ? doc : null;
 			};
 			var parseJSON = $.parseJSON || function(s) {
-				/* jslint evil:true */
-				return window['eval']('(' + s + ')');			// eslint-disable-line dot-notation
+
+				// Arise an error resolvable including jquery instead of 
+				// making a new function using unsanitized inputs
+
+				window.console.error('jquery.parseJSON is undefined');
+				return null;
 			};
 
 			var httpData = function(xhr, type, s) { // mostly lifted from jq1.4.4