When outputting user-supplied data Drupal strips potentially
dangerous HTML attributes and tags or escapes characters which
have a special meaning in HTML. This output filtering secures the
site against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification
are potentially dangerous when interpreted as UTF-7. Internet
Explorer 6 and 7 may decode these characters as UTF-7 if they
appear before the <meta http-equiv="Content-Type" /> tag that
specifies the page content as UTF-8, despite the fact that Drupal
also sends a real HTTP header specifying the content as UTF-8.
This enables attackers to execute cross site scripting attacks
with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting
contained an incomplete fix for the issue. HTML exports of books
are still vulnerable, which means that anyone with edit
permissions for pages in outlines is able to insert arbitrary HTML
and script code in these exports.
Additionally, the taxonomy module allows users with the
'administer taxonomy' permission to inject arbitrary HTML and
script code in the help text of any vocabulary.