Drupal 8.0.0-beta14 Vendor Script Vulnerable to XSS