diff -r drupal-7.72/CHANGELOG.txt drupal-7.73/CHANGELOG.txt
0a1,5
> Drupal 7.73, 2020-09-16
> -----------------------
> - Fixed security issues:
>    - SA-CORE-2020-007
>
diff -r drupal-7.72/includes/bootstrap.inc drupal-7.73/includes/bootstrap.inc
11c11
< define('VERSION', '7.72');
---
> define('VERSION', '7.73');
diff -r drupal-7.72/misc/ajax.js drupal-7.73/misc/ajax.js
152c152
<     url: ajax.url,
---
>     url: Drupal.sanitizeAjaxUrl(ajax.url),
197a198
>     jsonp: false,
diff -r drupal-7.72/misc/autocomplete.js drupal-7.73/misc/autocomplete.js
300c300
<       url: db.uri + '/' + Drupal.encodePath(searchString),
---
>       url: Drupal.sanitizeAjaxUrl(db.uri + '/' + Drupal.encodePath(searchString)),
301a302
>       jsonp: false,
diff -r drupal-7.72/misc/drupal.js drupal-7.73/misc/drupal.js
427a428,444
>  * Sanitizes a URL for use with jQuery.ajax().
>  *
>  * @param url
>  *   The URL string to be sanitized.
>  *
>  * @return
>  *   The sanitized URL.
>  */
> Drupal.sanitizeAjaxUrl = function (url) {
>   var regex = /\=\?(&|$)/;
>   while (url.match(regex)) {
>     url = url.replace(regex, '');
>   }
>   return url;
> }
>
> /**