Remove unsafe script injection vulnerability

[opoto]

Removed "new Function()" usage, which causes a risk of script injection. Replaced options parsing by JSON.parse(), options have now to be in proper JSON format, and cannot contain javascript code. Consequently, onFineChange is changed to a boolean that activates triggering of keypress events on "fine changes".

[EastDesire]

Hi @opoto. First, apologies for being so late with my reply here on GitHub. jscolor has changed a lot since then.

The new version 2.2 expects JSON syntax by default, and if it cannot be parsed, it tries to evaluate the string as JS code. This can be disabled by setting jscolor.looseJSON flag to false. The point is to allow loose JSON syntax for easy readability, but to also have an option to disable eval-like behavior when one is concerned about security.

As for the 'onFineChange', it was renamed to 'onInput' and the functionality remains. However, the color picker now also triggers the standard oninput event, which can be used the same way as if the onFineChange was enabled (in the manner you originally suggested).