Drupal 4.x – URL-Encoded Input HTML Injection Verified