diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 4f438e7b423..7f5f570a564 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.73, 2020-09-16
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2020-007
+
 Drupal 7.72, 2020-06-17
 -----------------------
 - Fixed security issues:
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index efe1dfd171c..3056fbf2e41 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.72');
+define('VERSION', '7.73');
 
 /**
  * Core API compatibility.
diff --git a/misc/ajax.js b/misc/ajax.js
index 0c9579b00d2..79a4e9eb6f5 100644
--- a/misc/ajax.js
+++ b/misc/ajax.js
@@ -149,7 +149,7 @@ Drupal.ajax = function (base, element, element_settings) {
   // The 'this' variable will not persist inside of the options object.
   var ajax = this;
   ajax.options = {
-    url: ajax.url,
+    url: Drupal.sanitizeAjaxUrl(ajax.url),
     data: ajax.submit,
     beforeSerialize: function (element_settings, options) {
       return ajax.beforeSerialize(element_settings, options);
@@ -195,6 +195,7 @@ Drupal.ajax = function (base, element, element_settings) {
       }
     },
     dataType: 'json',
+    jsonp: false,
     type: 'POST'
   };
 
diff --git a/misc/autocomplete.js b/misc/autocomplete.js
index af090713c73..09ceeec0f14 100644
--- a/misc/autocomplete.js
+++ b/misc/autocomplete.js
@@ -297,8 +297,9 @@ Drupal.ACDB.prototype.search = function (searchString) {
     // encodeURIComponent to allow autocomplete search terms to contain slashes.
     $.ajax({
       type: 'GET',
-      url: db.uri + '/' + Drupal.encodePath(searchString),
+      url: Drupal.sanitizeAjaxUrl(db.uri + '/' + Drupal.encodePath(searchString)),
       dataType: 'json',
+      jsonp: false,
       success: function (matches) {
         if (typeof matches.status == 'undefined' || matches.status != 0) {
           db.cache[searchString] = matches;
diff --git a/misc/drupal.js b/misc/drupal.js
index 19fbc712fdb..7a3f5f5926f 100644
--- a/misc/drupal.js
+++ b/misc/drupal.js
@@ -424,6 +424,23 @@ Drupal.urlIsLocal = function (url) {
   return absoluteUrl === baseUrl || absoluteUrl.indexOf(baseUrl + '/') === 0;
 };
 
+/**
+ * Sanitizes a URL for use with jQuery.ajax().
+ *
+ * @param url
+ *   The URL string to be sanitized.
+ *
+ * @return
+ *   The sanitized URL.
+ */
+Drupal.sanitizeAjaxUrl = function (url) {
+  var regex = /\=\?(&|$)/;
+  while (url.match(regex)) {
+    url = url.replace(regex, '');
+  }
+  return url;
+}
+
 /**
  * Generate the themed representation of a Drupal object.
  *