Issue #1892640 by grisendo, larowlan: Fixed XSS in date formats admin page .

core/includes/common.inc

@@ -1898,7 +1898,7 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
     'langcode' => $langcode,
     'format_string_type' => $key,
   );
-  return $date->format($format, $settings);
+  return filter_xss_admin($date->format($format, $settings));
 }
 
 /**

core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php

@@ -141,4 +141,18 @@ function testDateFormatStorage() {
     $format = config('locale.config.en.system.date')->get('formats.test_short_en.pattern.php');
     $this->assertEqual('dmYHis', $format, 'Localized date format resides in localized config.');
   }
+
+  /**
+   * Test that date formats are sanitized.
+   */
+  function testDateFormatXSS() {
+    $date_format_info = array(
+      'name' => 'XSS format',
+      'pattern' => array('php' => '\<\s\c\r\i\p\t\>\a\l\e\r\t\(\'\X\S\S\'\)\;\<\/\s\c\r\i\p\t\>'),
+    );
+    system_date_format_save('xss_short', $date_format_info);
+
+    $this->drupalGet('admin/config/regional/date-time');
+    $this->assertNoRaw("<script>alert('XSS');</script>", 'The date format was properly sanitized');
+  }
 }