diff --git a/core/modules/node/src/Plugin/Search/NodeSearch.php b/core/modules/node/src/Plugin/Search/NodeSearch.php
index 87a3851..bab5cc9 100644
--- a/core/modules/node/src/Plugin/Search/NodeSearch.php
+++ b/core/modules/node/src/Plugin/Search/NodeSearch.php
@@ -332,11 +332,9 @@ protected function prepareResults(StatementInterface $found) {
unset($build['#theme']);
$build['#pre_render'][] = array($this, 'removeSubmittedInfo');
- // Fetch comment count for snippet.
- $rendered = SafeMarkup::set(
- $this->renderer->renderPlain($build) . ' ' .
- SafeMarkup::escape($this->moduleHandler->invoke('comment', 'node_update_index', array($node, $item->langcode)))
- );
+ // Fetch comments for snippet.
+ $rendered = $this->renderer->renderPlain($build);
+ $rendered .= ' ' . $this->moduleHandler->invoke('comment', 'node_update_index', array($node, $item->langcode));
$extra = $this->moduleHandler->invokeAll('node_search_result', array($node, $item->langcode));
diff --git a/core/modules/search/search.module b/core/modules/search/search.module
index 25d52b5..e7ee180 100644
--- a/core/modules/search/search.module
+++ b/core/modules/search/search.module
@@ -618,7 +618,8 @@ function search_mark_for_reindex($type = NULL, $sid = NULL, $langcode = NULL) {
/**
* Returns snippets from a piece of text, with search keywords highlighted.
*
- * Used for formatting search results.
+ * Used for formatting search results. All HTML tags will be stripped from
+ * $text.
*
* @param string $keys
* A string containing a search query.
diff --git a/core/modules/search/src/Tests/SearchCommentTest.php b/core/modules/search/src/Tests/SearchCommentTest.php
index b9916e2..fc96911 100644
--- a/core/modules/search/src/Tests/SearchCommentTest.php
+++ b/core/modules/search/src/Tests/SearchCommentTest.php
@@ -126,6 +126,12 @@ function testSearchResultsComment() {
$edit_comment['comment_body[0][format]'] = $full_html_format_id;
$this->drupalPostForm('comment/reply/node/' . $node->id() .'/comment', $edit_comment, t('Save'));
+ // Post a comment with an evil script as its subject.
+ $edit_comment2 = array();
+ $edit_comment2['subject[0][value]'] = "";
+ $edit_comment2['comment_body[0][value]'] = 'goodbye
';
+ $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save'));
+
// Invoke search index update.
$this->drupalLogout();
$this->cronRun();
@@ -152,6 +158,14 @@ function testSearchResultsComment() {
$this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
$this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.');
+ // Search for the evil comment subject.
+ $edit = array(
+ 'keys' => "hello",
+ );
+ // Verify the evil comment subject is escaped in search results.
+ $this->drupalPostForm('search/node', $edit, t('Search'));
+ $this->assertRaw('alert('hello');');
+
// Hide comments.
$this->drupalLogin($this->adminUser);
$node->set('comment', CommentItemInterface::HIDDEN);
diff --git a/core/modules/search/src/Tests/SearchExcerptTest.php b/core/modules/search/src/Tests/SearchExcerptTest.php
index 9ed4403..dd6b259 100644
--- a/core/modules/search/src/Tests/SearchExcerptTest.php
+++ b/core/modules/search/src/Tests/SearchExcerptTest.php
@@ -39,7 +39,7 @@ function testSearchExcerpt() {
// important for HTML formatting. Remove these for comparison.
$expected = 'The quick brown fox & jumps over the lazy dog';
$result = preg_replace('| +|', ' ', search_excerpt('nothing', $text));
- $this->assertEqual(preg_replace('| +|', ' ', $result), $expected, 'Entire string is returned when keyword is not found in short string');
+ $this->assertEqual(preg_replace('| +|', ' ', $result), $expected, 'Entire string, stripped of HTML tags, is returned when keyword is not found in short string');
$result = preg_replace('| +|', ' ', search_excerpt('fox', $text));
$this->assertEqual($result, 'The quick brown fox & jumps over the lazy dog', 'Found keyword is highlighted');