The form library suffered of a XSS issue, which was caused by 2 minor issues inside the code, which made possible the usage of eval on unsanitized values (inside the "override" of parseJSON) and html parsing on a unsanitized AJAX response.

The 2 issues have been fixed in the following way:

1. The eval inside the parseJSON function has been removed, while it's been added a error which arises when the default $.parseJSON function (on jquery) isn't declared (anyone with good intentions would simply add the jquery script on the page and all works correctly again).
2. The unsanitized AJAX response was previously passed to parseHTML without any check, making possible inject additional HTML. I used a peculiarity of jquery to translate the HTML nodes evaluated into text nodes, which are equal to HTML encoded entities. It can can be verified seeing this: