only in patch2:
unchanged:
--- a/core/modules/search/src/Tests/SearchCommentTest.php
+++ b/core/modules/search/src/Tests/SearchCommentTest.php
@@ -126,6 +126,12 @@ function testSearchResultsComment() {
     $edit_comment['comment_body[0][format]'] = $full_html_format_id;
     $this->drupalPostForm('comment/reply/node/' . $node->id() .'/comment', $edit_comment, t('Save'));
 
+    // Post a comment with an evil script as its subject.
+    $edit_comment2 = array();
+    $edit_comment2['subject[0][value]'] = "<script>alert('hello');</script>";
+    $edit_comment2['comment_body[0][value]'] = '<p>goodbye</p>';
+    $this->drupalPostForm('comment/reply/node/' . $node->id() . '/comment', $edit_comment2, t('Save'));
+
     // Invoke search index update.
     $this->drupalLogout();
     $this->cronRun();
@@ -152,6 +158,14 @@ function testSearchResultsComment() {
     $this->assertNoRaw(t('n/a'), 'HTML in comment body is not hidden.');
     $this->assertNoEscaped($edit_comment['comment_body[0][value]'], 'HTML in comment body is not escaped.');
 
+    // Search for the evil comment subject.
+    $edit = array(
+      'keys' => "hello",
+    );
+    // Verify the evil comment subject is escaped in search results.
+    $this->drupalPostForm('search/node', $edit, t('Search'));
+    $this->assertRaw('alert(&#039;<strong>hello</strong>&#039;);');
+
     // Hide comments.
     $this->drupalLogin($this->adminUser);
     $node->set('comment', CommentItemInterface::HIDDEN);