diff --git a/core/modules/color/color.module b/core/modules/color/color.module
index f5622c8..c664570 100644
--- a/core/modules/color/color.module
+++ b/core/modules/color/color.module
@@ -284,7 +284,7 @@ function template_preprocess_color_scheme_form(&$variables) {
 
   // Attempt to load preview HTML if the theme provides it.
   $preview_html_path = \Drupal::root() . '/' . (isset($info['preview_html']) ? drupal_get_path('theme', $theme) . '/' . $info['preview_html'] : drupal_get_path('module', 'color') . '/preview.html');
-  $variables['html_preview'] = SafeMarkup::set(file_get_contents($preview_html_path));
+  $variables['html_preview'] = SafeMarkup::checkAdminXss(file_get_contents($preview_html_path));
 }
 
 /**
diff --git a/core/modules/color/src/Tests/ColorSafePreviewTest.php b/core/modules/color/src/Tests/ColorSafePreviewTest.php
new file mode 100644
index 0000000..e420658
--- /dev/null
+++ b/core/modules/color/src/Tests/ColorSafePreviewTest.php
@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\color\Tests\ColorSafePreviewTest.
+ */
+
+namespace Drupal\color\Tests;
+
+use Drupal\Core\Url;
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests sanitizing color preview loaded from theme.
+ *
+ * @group Theme
+ */
+class ColorSafePreviewTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var string[]
+   */
+  public static $modules = ['color', 'color_test'];
+
+  /**
+   * A user with administrative permissions.
+   *
+   * @var \Drupal\user\UserInterface
+   */
+  protected $bigUser;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    // Create user.
+    $this->bigUser = $this->drupalCreateUser(['administer themes']);
+  }
+
+  /**
+   * Ensures color preview.html is sanitized.
+   */
+  function testColorPreview() {
+    // Install the test theme
+    \Drupal::service('theme_handler')->install(['color_test_theme']);
+
+    $url_object = Url::fromRoute('system.theme_settings_theme', ['theme' => 'color_test_theme']);
+
+    $this->drupalLogin($this->bigUser);
+    $this->drupalGet($url_object);
+    $this->assertText('TEST COLOR PREVIEW');
+
+    $this->assertNoRaw('<script>alert("security filter test");</script>');
+    $this->assertRaw('<h2>TEST COLOR PREVIEW</h2>');
+  }
+
+
+}
diff --git a/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/color.inc b/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/color.inc
index bf0affe..b88e8ea 100644
--- a/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/color.inc
+++ b/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/color.inc
@@ -29,4 +29,5 @@
   'css' => array(
     'css/colors.css',
   ),
+  'preview_html' => 'color/preview.html',
 );
diff --git a/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html b/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html
new file mode 100644
index 0000000..f7346ca
--- /dev/null
+++ b/core/modules/color/tests/modules/color_test/themes/color_test_theme/color/preview.html
@@ -0,0 +1,8 @@
+<div class="color-preview">
+  <div id="text">
+    <h2>TEST COLOR PREVIEW</h2>
+    <p>Sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud <a href="#">exercitation ullamco</a> laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.</p>
+  </div>
+  <div id="img"></div>
+</div>
+<script>alert("security filter test");</script>