diff --git a/common/lightbox2/SA-CONTRIB-2018-064.patch b/common/lightbox2/SA-CONTRIB-2018-064.patch
new file mode 100644
index 0000000000000000000000000000000000000000..88a5ac6bcc857ccb4165996dc54edfb9bc56cbea
--- /dev/null
+++ b/common/lightbox2/SA-CONTRIB-2018-064.patch
@@ -0,0 +1,18 @@
+diff --git a/lightbox2_handler_field_lightbox2.inc b/lightbox2_handler_field_lightbox2.inc
+index b32f691..dbfa4d5 100644
+--- a/lightbox2_handler_field_lightbox2.inc
++++ b/lightbox2_handler_field_lightbox2.inc
+@@ -141,7 +141,12 @@ class lightbox2_handler_field_lightbox2 extends views_handler_field {
+       // div is hidden it won't show up as a lightbox.  We also specify a group
+       // in the rel attribute in order to link the whole View together for paging.
+       $group_name = !empty($this->options['custom_group']) ? $this->options['custom_group'] : ($this->options['rel_group'] ? 'lightbox-popup-' . $this->view->name . '-' . implode('/', $this->view->args) : '');
+-      return "<a href='$link #lightbox-popup-{$i}'  rel='lightmodal[{$group_name}|width:" . ($this->options['width'] ? $this->options['width'] : '600px') . ';height:' . ($this->options['height'] ? $this->options['height'] : '600px') . "][" . $caption . "]'>". $tokens["[{$this->options['trigger_field']}]"] ."</a>
++      $group_name = check_plain($group_name);
++      $width = $this->options['width'] ? check_plain($this->options['width']) : '600px';
++      $height = $this->options['height'] ? check_plain($this->options['height']) : '600px';
++      $trigger_field = filter_xss_admin($this->options['trigger_field']);
++
++      return "<a href='$link #lightbox-popup-{$i}'  rel='lightmodal[{$group_name}|width:" . $width . ';height:' . $height . "][" . $caption . "]'>" . $tokens["[{$trigger_field}]"] . "</a>
+                 <div style='display: none;'><div id='lightbox-popup-{$i}' class='lightbox-popup'>$popup</div></div>";
+     }
+     else {