Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Drupal's l/url methods would usually escape all possible unsecure code. Due to an incompatibility, refine_by_taxo could no longer use this and build its own anchors, without escaping the tags properly.
Anyone who creates tags with core taxonomy module, could potentially inject arbitrary HTML and script code into your site when you use refine_by_taxo to display these tags. Note that core taxonomy has no issues, its only the display part in refine_by_taxo that did not properlty escape the output.