diff --git a/core/lib/Drupal/Core/Controller/TitleResolver.php b/core/lib/Drupal/Core/Controller/TitleResolver.php
index 4fe90a6..760b64e 100644
--- a/core/lib/Drupal/Core/Controller/TitleResolver.php
+++ b/core/lib/Drupal/Core/Controller/TitleResolver.php
@@ -11,6 +11,7 @@
 use Drupal\Core\StringTranslation\TranslationInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Route;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Provides the default implementation of the title resolver interface.
@@ -49,7 +50,7 @@ public function getTitle(Request $request, Route $route) {
     if ($callback = $route->getDefault('_title_callback')) {
       $callable = $this->controllerResolver->getControllerFromDefinition($callback);
       $arguments = $this->controllerResolver->getArguments($request, $callable);
-      $route_title = call_user_func_array($callable, $arguments);
+      $route_title = Xss::filterAdmin(call_user_func_array($callable, $arguments));
     }
     elseif ($title = $route->getDefault('_title')) {
       $options = array();
diff --git a/core/lib/Drupal/Core/EventSubscriber/ViewSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/ViewSubscriber.php
index 84b94c9..b917df1 100644
--- a/core/lib/Drupal/Core/EventSubscriber/ViewSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/ViewSubscriber.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Ajax\AjaxResponseRenderer;
 use Drupal\Core\Controller\TitleResolverInterface;
 use Drupal\Core\Page\HtmlPage;
+use Drupal\Component\Utility\Xss;
 use Symfony\Cmf\Component\Routing\RouteObjectInterface;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -112,7 +113,10 @@ public function onView(GetResponseForControllerResultEvent $event) {
       }
 
       // If no title was returned fall back to one defined in the route.
-      if (!isset($page_result['#title'])) {
+      if (isset($page_result['#title'])) {
+        $page_result['#title'] = Xss::filterAdmin($page_result['#title']);
+      }
+      else {
         $page_result['#title'] = $this->titleResolver->getTitle($request, $request->attributes->get(RouteObjectInterface::ROUTE_OBJECT));
       }