diff -r 2815e71c65fb -r cdf0cb7bf073 cms/drupal/includes/common.inc
--- a/cms/drupal/includes/common.inc	Mon Mar 19 15:45:08 2018 +0100
+++ b/cms/drupal/includes/common.inc	Mon Mar 19 16:00:44 2018 +0100
@@ -2236,8 +2236,11 @@
     'prefix' => ''
   );
 
+  // Determine whether this is an external link, but ensure that the current
+  // path is always treated as internal by default (to prevent external link
+  // injection vulnerabilities).
   if (!isset($options['external'])) {
-    $options['external'] = url_is_external($path);
+    $options['external'] = $path === $_GET['q'] ? FALSE : url_is_external($path);
   }
 
   // Preserve the original path before altering or aliasing.