Affected Software: Drupal Core
Fixed in Version: 6.1
Issue Type: Cross Site Scripting (XSS)
Original Code: Found Here
The developer's fix is to set the global flag on the regex, so that all instances are replaced. When auditing code like this it would be wise carefully look upstream and check for other uses of the same data, where a different end use wasn't encoded. When designing a system, issues like this indicate the importance of a carefully planned and consistent input-escaping/output-encoding approach, so that missed occurrences are more apparent. In this case, the JS function here is used only by Drupal modules and plugins loading data via Ajax, and a parallel change was made in the Drupal PHP source to handle normal usage. That change called the standard PHP function check_plain to output encode the data on the back end.