Draft: Resolve #3515520 "Add test coverage"

Closes #3515520

core/modules/system/tests/modules/ajax_test/src/Form/AjaxTestMessageCommandForm.php

@@ -54,6 +54,15 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       ],
     ];
 
+    $form['button_safe'] = [
+      '#type' => 'submit',
+      '#name' => 'make_safe_message',
+      '#value' => 'Make Safe Message',
+      '#ajax' => [
+        'callback' => '::makeSafeMessage',
+      ],
+    ];
+
     return $form;
   }
 
@@ -104,4 +113,15 @@ public function makeMessageWarning() {
     return $response->addCommand(new MessageCommand('I am a warning message in the default location.', NULL, ['type' => 'warning', 'announce' => '']));
   }
 
+  /**
+   * Callback for testing MessageCommand safe to XSS.
+   *
+   * @return \Drupal\Core\Ajax\AjaxResponse
+   *   The AJAX response.
+   */
+  public function makeSafeMessage() {
+    $response = new AjaxResponse();
+    return $response->addCommand(new MessageCommand('I am a warning message with script tag. <button onclick="javascript:alert(\'xss\')">Click me!</button>', NULL, ['type' => 'warning', 'announce' => '']));
+  }
+
 }