diff --git a/core/modules/comment/src/Tests/CommentPreviewTest.php b/core/modules/comment/src/Tests/CommentPreviewTest.php
index a1d0804..5900399 100644
--- a/core/modules/comment/src/Tests/CommentPreviewTest.php
+++ b/core/modules/comment/src/Tests/CommentPreviewTest.php
@@ -139,7 +139,7 @@ function testCommentEditPreviewSave() {
     $this->assertTitle(t('Preview comment | Drupal'), 'Page title is "Preview comment".');
     $this->assertText($edit['subject[0][value]'], 'Subject displayed.');
     $this->assertText($edit['comment_body[0][value]'], 'Comment displayed.');
-    $this->assertText($edit['name'], 'Author displayed.');
+    $this->assertEscaped($edit['name'], 'Author displayed.');
     $this->assertText($expected_text_date, 'Date displayed.');
 
     // Check that the subject, comment, author and date fields are displayed with the correct values.
diff --git a/core/modules/language/src/Tests/LanguageUrlRewritingTest.php b/core/modules/language/src/Tests/LanguageUrlRewritingTest.php
index f590861..748e338 100644
--- a/core/modules/language/src/Tests/LanguageUrlRewritingTest.php
+++ b/core/modules/language/src/Tests/LanguageUrlRewritingTest.php
@@ -66,7 +66,7 @@ function testUrlRewritingEdgeCases() {
 
     // Check that URL rewriting is not applied to subrequests.
     $this->drupalGet('language_test/subrequest');
-    $this->assertText($this->webUser->getUsername(), 'Page correctly retrieved');
+    $this->assertEscaped($this->webUser->getUsername(), 'Page correctly retrieved');
   }
 
   /**
diff --git a/core/modules/node/src/Tests/NodeCreationTest.php b/core/modules/node/src/Tests/NodeCreationTest.php
index 7972f5d..986c5b1 100644
--- a/core/modules/node/src/Tests/NodeCreationTest.php
+++ b/core/modules/node/src/Tests/NodeCreationTest.php
@@ -70,7 +70,7 @@ function testNodeCreation() {
     $node_type->save();
 
     $this->drupalGet('node/' . $node->id());
-    $this->assertText($node->getOwner()->getUsername());
+    $this->assertEscaped($node->getOwner()->getUsername());
     $this->assertText(format_date($node->getCreatedTime()));
   }
 
diff --git a/core/modules/search/src/Tests/SearchConfigSettingsFormTest.php b/core/modules/search/src/Tests/SearchConfigSettingsFormTest.php
index 2c17ed6..4a9b22f 100644
--- a/core/modules/search/src/Tests/SearchConfigSettingsFormTest.php
+++ b/core/modules/search/src/Tests/SearchConfigSettingsFormTest.php
@@ -165,7 +165,7 @@ function testSearchModuleDisabling() {
       $this->drupalGet('search/' . $entity->getPath(), array('query' => array('keys' => $info['keys'])));
       $this->assertResponse(200);
       $this->assertNoText('no results', $entity->label() . ' search found results');
-      $this->assertText($info['text'], 'Correct search text found');
+      $this->assertEscaped($info['text'], 'Correct search text found');
 
       // Verify that other plugin search tab labels are not visible.
       foreach ($plugins as $other) {
diff --git a/core/modules/search/src/Tests/SearchExactTest.php b/core/modules/search/src/Tests/SearchExactTest.php
index e4f3511..d312578 100644
--- a/core/modules/search/src/Tests/SearchExactTest.php
+++ b/core/modules/search/src/Tests/SearchExactTest.php
@@ -67,7 +67,7 @@ function testExactQuery() {
 
     $edit = array('keys' => 'Druplicon');
     $this->drupalPostForm('search/node', $edit, t('Search'));
-    $this->assertText($user->getUsername(), 'Basic page node displays author name when post settings are on.');
+    $this->assertEscaped($user->getUsername(), 'Basic page node displays author name when post settings are on.');
     $this->assertText(format_date($node->getChangedTime(), 'short'), 'Basic page node displays post date when post settings are on.');
 
     // Check that with post settings turned off the user and changed date
diff --git a/core/modules/user/src/Tests/UserBlocksTest.php b/core/modules/user/src/Tests/UserBlocksTest.php
index 9ac5ae9..252755b 100644
--- a/core/modules/user/src/Tests/UserBlocksTest.php
+++ b/core/modules/user/src/Tests/UserBlocksTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\user\Tests;
 
+use Drupal\Component\Utility\Html;
 use Drupal\simpletest\WebTestBase;
 
 /**
@@ -105,10 +106,10 @@ function testWhosOnlineBlock() {
     $content = entity_view($block, 'block');
     $this->setRawContent(\Drupal::service('renderer')->renderRoot($content));
     $this->assertRaw(t('2 users'), 'Correct number of online users (2 users).');
-    $this->assertText($user1->getUsername(), 'Active user 1 found in online list.');
-    $this->assertText($user2->getUsername(), 'Active user 2 found in online list.');
+    $this->assertEscaped($user1->getUsername(), 'Active user 1 found in online list.');
+    $this->assertEscaped($user2->getUsername(), 'Active user 2 found in online list.');
     $this->assertNoText($user3->getUsername(), 'Inactive user not found in online list.');
-    $this->assertTrue(strpos($this->getRawContent(), $user1->getUsername()) > strpos($this->getRawContent(), $user2->getUsername()), 'Online users are ordered correctly.');
+    $this->assertTrue(strpos($this->getRawContent(), Html::escape($user1->getUsername())) > strpos($this->getRawContent(), Html::escape($user2->getUsername())), 'Online users are ordered correctly.');
   }
 
   /**
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index 6d53838..b8ba3fb 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -101,14 +101,14 @@ function testUserPasswordReset() {
     $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
 
     // Check the one-time login page.
-    $this->assertText($this->account->getUsername(), 'One-time login page contains the correct username.');
+    $this->assertEscaped($this->account->getUsername(), 'One-time login page contains the correct username.');
     $this->assertText(t('This login can be used only once.'), 'Found warning about one-time login.');
     $this->assertTitle(t('Reset password | Drupal'), 'Page title is "Reset password".');
 
     // Check successful login.
     $this->drupalPostForm(NULL, NULL, t('Log in'));
     $this->assertLink(t('Log out'));
-    $this->assertTitle(t('@name | @site', array('@name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.');
+    $this->assertTitle(t('!name | @site', array('!name' => $this->account->getUsername(), '@site' => $this->config('system.site')->get('name'))), 'Logged in using password reset link.');
 
     // Make sure the ajax request from uploading a user picture does not
     // invalidate the reset token.
diff --git a/core/modules/user/src/Tests/Views/BulkFormTest.php b/core/modules/user/src/Tests/Views/BulkFormTest.php
index 0cd84b3..0241c7e 100644
--- a/core/modules/user/src/Tests/Views/BulkFormTest.php
+++ b/core/modules/user/src/Tests/Views/BulkFormTest.php
@@ -82,7 +82,7 @@ public function testBulkForm() {
 
     // Block a user using the bulk form.
     $this->assertTrue($account->isActive(), 'The user is not blocked.');
-    $this->assertRaw($account->label(), 'The user is found in the table.');
+    $this->assertEscaped($account->label(), 'The user is found in the table.');
     $edit = array(
       'user_bulk_form[1]' => TRUE,
       'action' => 'user_block_user_action',