When outputting user-supplied data Drupal strips potentially
dangerous HTML attributes and tags or escapes characters which have a
special meaning in HTML. This output filtering secures the site
against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification
are potentially dangerous when interpreted as UTF-7. Internet Explorer
6 and 7 may decode these characters as UTF-7 if they appear before the
meta http-equiv="Content-Type" tag that specifies the page content
as UTF-8, despite the fact that Drupal also sends a real HTTP header
specifying the content as UTF-8. This behaviour enables malicious
users to insert and execute Javascript in the context of the website
if site visitors are allowed to post content.
In addition, Drupal core also has a very limited information
disclosure vulnerability under very specific conditions. If a user is
tricked into visiting the site via a specially crafted URL and then
submits a form (such as the search box) from that page, the
information in their form submission may be directed to a third-party
site determined by the URL and thus disclosed to the third party. The
third party site may then execute a CSRF attack against the submitted
form.