diff --git a/core/modules/system/tests/modules/ajax_test/src/Form/AjaxTestMessageCommandForm.php b/core/modules/system/tests/modules/ajax_test/src/Form/AjaxTestMessageCommandForm.php
index 12b6f7598cd..4b4533a1677 100644
--- a/core/modules/system/tests/modules/ajax_test/src/Form/AjaxTestMessageCommandForm.php
+++ b/core/modules/system/tests/modules/ajax_test/src/Form/AjaxTestMessageCommandForm.php
@@ -54,6 +54,15 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       ],
     ];
 
+    $form['button_safe'] = [
+      '#type' => 'submit',
+      '#name' => 'make_safe_message',
+      '#value' => 'Make Safe Message',
+      '#ajax' => [
+        'callback' => '::makeSafeMessage',
+      ],
+    ];
+
     return $form;
   }
 
@@ -104,4 +113,15 @@ public function makeMessageWarning() {
     return $response->addCommand(new MessageCommand('I am a warning message in the default location.', NULL, ['type' => 'warning', 'announce' => '']));
   }
 
+  /**
+   * Callback for testing MessageCommand safe to XSS.
+   *
+   * @return \Drupal\Core\Ajax\AjaxResponse
+   *   The AJAX response.
+   */
+  public function makeSafeMessage() {
+    $response = new AjaxResponse();
+    return $response->addCommand(new MessageCommand('I am a warning message with script tag. <button onclick="javascript:alert(\'xss\')">Click me!</button>', NULL, ['type' => 'warning', 'announce' => '']));
+  }
+
 }
diff --git a/core/tests/Drupal/FunctionalJavascriptTests/Ajax/MessageCommandTest.php b/core/tests/Drupal/FunctionalJavascriptTests/Ajax/MessageCommandTest.php
index ac347e8c45d..96c638248f4 100644
--- a/core/tests/Drupal/FunctionalJavascriptTests/Ajax/MessageCommandTest.php
+++ b/core/tests/Drupal/FunctionalJavascriptTests/Ajax/MessageCommandTest.php
@@ -96,6 +96,9 @@ public function testJsStatusMessageAssertions(): void {
     $page->pressButton('Make Warning Message');
     $this->assertSession()->statusMessageContainsAfterWait('I am a warning message in the default location.', 'warning');
 
+    $page->pressButton('Make Safe Message');
+    $this->assertSession()->statusMessageContainsAfterWait('I am a warning message with script tag. Click me!', 'warning');
+
     // Reload and test some negative assertions.
     $this->drupalGet('ajax-test/message');
 
@@ -111,6 +114,10 @@ public function testJsStatusMessageAssertions(): void {
     $page->pressButton('Make Warning Message');
     $this->assertSession()->statusMessageContainsAfterWait('I am a warning');
 
+    // Test script tag.
+    $page->pressButton('Make Safe Message');
+    $this->assertSession()->statusMessageNotContainsAfterWait('I am a warning message with script tag. <button onclick="javascript:alert(\'xss\')">Click me!</button>');
+
     // One more reload to try with different arg combinations.
     $this->drupalGet('ajax-test/message');