diff --git a/core/lib/Drupal/Core/Controller/TitleResolver.php b/core/lib/Drupal/Core/Controller/TitleResolver.php
index 4fe90a6..760b64e 100644
--- a/core/lib/Drupal/Core/Controller/TitleResolver.php
+++ b/core/lib/Drupal/Core/Controller/TitleResolver.php
@@ -11,6 +11,7 @@
 use Drupal\Core\StringTranslation\TranslationInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Route;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Provides the default implementation of the title resolver interface.
@@ -49,7 +50,7 @@ public function getTitle(Request $request, Route $route) {
     if ($callback = $route->getDefault('_title_callback')) {
       $callable = $this->controllerResolver->getControllerFromDefinition($callback);
       $arguments = $this->controllerResolver->getArguments($request, $callable);
-      $route_title = call_user_func_array($callable, $arguments);
+      $route_title = Xss::filterAdmin(call_user_func_array($callable, $arguments));
     }
     elseif ($title = $route->getDefault('_title')) {
       $options = array();