only in patch2:
unchanged:
--- /dev/null
+++ b/core/modules/entity_reference/src/Tests/EntityReferenceXSSTest.php
@@ -0,0 +1,79 @@
+drupalLogin($this->rootUser);
+ $this->createEntityReferenceField('node', 'article', 'entity_reference_test', 'Entity Reference test', 'node', 'default', ['target_bundles' => ['page']]);
+ }
+
+ /**
+ * Ensures that XSS is not possible through entity reference select.
+ */
+ public function testEntityReferenceSelectXSS() {
+ \Drupal::entityManager()
+ ->getStorage('entity_form_display')
+ ->load('node.article.default')
+ ->setComponent('entity_reference_test', ['type' => 'options_select'])
+ ->save();
+ $node = [
+ 'type' => 'page',
+ 'title' => 'I am kitten',
+ ];
+ $this->drupalCreateNode($node);
+ $this->drupalGet('node/add/article');
+ $this->assertRaw(strip_tags($node['title']));
+ }
+
+ /**
+ * Ensures that XSS is not possible through entity reference display.
+ */
+ public function testEntityReferenceDisplayXSS() {
+ \Drupal::entityManager()
+ ->getStorage('entity_view_display')
+ ->load('node.article.default')
+ ->setComponent('entity_reference_test')
+ ->save();
+ $node = [
+ 'type' => 'page',
+ 'title' => 'I am kitten',
+ ];
+ $node1 = $this->drupalCreateNode($node);
+ $node = [
+ 'type' => 'article',
+ 'field_entity_reference_test' => [
+ 'target_id' => $node1->id(),
+ ],
+ ];
+ $node2 = $this->drupalCreateNode($node);
+ $this->drupalGet('node/' . $node2->id());
+ $this->assertEscaped($node1->getTitle());
+ }
+
+}