diff --git a/core/includes/install.inc b/core/includes/install.inc
index 8c2e9fe..98f5a99 100644
--- a/core/includes/install.inc
+++ b/core/includes/install.inc
@@ -8,6 +8,7 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Drupal\Component\Utility\Crypt;
 use Drupal\Component\Utility\OpCodeCache;
+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Component\Utility\UrlHelper;
 use Drupal\Core\Extension\ExtensionDiscovery;
 use Drupal\Core\Site\Settings;
@@ -1019,11 +1020,15 @@ function drupal_check_module($module) {
     // Print any error messages
     foreach ($requirements as $requirement) {
       if (isset($requirement['severity']) && $requirement['severity'] == REQUIREMENT_ERROR) {
-        $message = $requirement['description'];
+        // Prepair set of safe strings for rendering.
+        $message = SafeMarkup::escape($requirement['description']);
         if (isset($requirement['value']) && $requirement['value']) {
           $message .= ' (' . t('Currently using !item !version', array('!item' => $requirement['title'], '!version' => $requirement['value'])) . ')';
         }
-        drupal_set_message($message, 'error');
+        // Make sure to mark the message string as secure.
+        // The string was previously checked as safe or escaped properly with
+        // SafeMarkup::escape() method.
+        drupal_set_message(SafeMarkup::set($message), 'error');
       }
     }
     return FALSE;