diff --git a/core/includes/common.inc b/core/includes/common.inc
index e22307a2c8b7eeaaa79845448d11594ff76f1d9c..f3d8f2c64e2cb02a65aed66294b864d6fdb3ed6a 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -1898,7 +1898,7 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
     'langcode' => $langcode,
     'format_string_type' => $key,
   );
-  return $date->format($format, $settings);
+  return filter_xss_admin($date->format($format, $settings));
 }
 
 /**
diff --git a/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php b/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
index 7a0f5c0ecddbe566769317cf8748a3c7b67a127d..dd462d5c438bb3e1cc1390337066e6ee693a552c 100644
--- a/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/System/DateTimeTest.php
@@ -141,4 +141,18 @@ function testDateFormatStorage() {
     $format = config('locale.config.en.system.date')->get('formats.test_short_en.pattern.php');
     $this->assertEqual('dmYHis', $format, 'Localized date format resides in localized config.');
   }
+
+  /**
+   * Test that date formats are sanitized.
+   */
+  function testDateFormatXSS() {
+    $date_format_info = array(
+      'name' => 'XSS format',
+      'pattern' => array('php' => '\<\s\c\r\i\p\t\>\a\l\e\r\t\(\'\X\S\S\'\)\;\<\/\s\c\r\i\p\t\>'),
+    );
+    system_date_format_save('xss_short', $date_format_info);
+
+    $this->drupalGet('admin/config/regional/date-time');
+    $this->assertNoRaw("<script>alert('XSS');</script>", 'The date format was properly sanitized');
+  }
 }