Merge pull request #398 from liferay/wincent/jquery-form-xss

fix(jquery-form): avoid XSS

Author: wincent

third-party/projects/jquery-form/jquery.form.js

@@ -10,16 +10,9 @@
  */
 /*global ActiveXObject */
 
-// AMD support
 (function (factory) {
     "use strict";
-    if (typeof define === 'function' && define.amd) {
-        // using AMD; register as anon module
-        define(['jquery'], factory);
-    } else {
-        // no AMD; invoke directly
-        factory( (typeof(jQuery) != 'undefined') ? jQuery : window.Zepto );
-    }
+    factory(window.$ || window.Zepto);
 }
 
 (function($) {
@@ -190,6 +183,15 @@ $.fn.ajaxSubmit = function(options) {
         var oldSuccess = options.success || function(){};
         callbacks.push(function(data) {
             var fn = options.replaceTarget ? 'replaceWith' : 'html';
+
+            // Validate `data` through `HTML encoding` when passed
+            // `data` is passed to `html()`, as suggested in
+            // https://github.com/jquery-form/form/issues/464
+
+            data = options.replaceTarget
+                ? data
+                : $.parseHTML($('<div>').text(data).html());
+
             $(options.target)[fn](data).each(oldSuccess, arguments);
         });
     }
@@ -801,8 +803,12 @@ $.fn.ajaxSubmit = function(options) {
             return (doc && doc.documentElement && doc.documentElement.nodeName != 'parsererror') ? doc : null;
         };
         var parseJSON = $.parseJSON || function(s) {
-            /*jslint evil:true */
-            return window['eval']('(' + s + ')');
+            // Throw an error instead of making a new function using
+            // unsanitized inputs to avoid XSS attacks.
+
+            window.console.error('jquery.parseJSON is undefined');
+
+            return null;
         };
 
         var httpData = function( xhr, type, s ) { // mostly lifted from jq1.4.4