validator is vulnerable to cross-site scripting. A remote attacker is able to bypass the Javascript filter via a crafted URL to inject arbitrary Javascript into a victim’s browser to steal session tokens or perform unwanted actions on behalf of the user.