diff --git a/core/modules/dblog/src/Controller/DbLogController.php b/core/modules/dblog/src/Controller/DbLogController.php
index 038c7ca04e56b6f4df00cba8e31935869283fec3..76c0f49617145cf4bfb0c664448d077eb75f1da5 100644
--- a/core/modules/dblog/src/Controller/DbLogController.php
+++ b/core/modules/dblog/src/Controller/DbLogController.php
@@ -277,7 +277,7 @@ public function eventDetails($event_id) {
         ),
         array(
           array('data' => $this->t('Operations'), 'header' => TRUE),
-          $dblog->link,
+          SafeMarkup::checkAdminXss($dblog->link),
         ),
       );
       $build['dblog_table'] = array(
@@ -354,7 +354,7 @@ public function formatMessage($row) {
     else {
       $message = FALSE;
     }
-    return $message;
+    return ($message) ? Xss::filterAdmin($message) : FALSE;
   }
 
   /**
diff --git a/core/modules/dblog/src/Tests/DbLogTest.php b/core/modules/dblog/src/Tests/DbLogTest.php
index 9726fff2efa7c77092ea838819c13e514f1a2b07..c4d6e69382cc64efbeba65a60eaad992bd2368b7 100644
--- a/core/modules/dblog/src/Tests/DbLogTest.php
+++ b/core/modules/dblog/src/Tests/DbLogTest.php
@@ -7,9 +7,11 @@
 
 namespace Drupal\dblog\Tests;
 
+use Drupal\Component\Utility\String;
 use Drupal\Component\Utility\Unicode;
 use Drupal\Component\Utility\Xss;
 use Drupal\Core\Logger\RfcLogLevel;
+use Drupal\Core\Url;
 use Drupal\dblog\Controller\DbLogController;
 use Drupal\simpletest\WebTestBase;
 
@@ -71,6 +73,8 @@ function testDbLog() {
     $this->verifyEvents();
     $this->verifyReports();
     $this->verifyBreadcrumbs();
+    $this->verifyLinkEscaping();
+    $this->verifyMessageEscaping();
     // Verify the overview table sorting.
     $orders = array('Date', 'Type', 'User');
     $sorts = array('asc', 'desc');
@@ -129,21 +133,33 @@ private function verifyCron($row_limit) {
    *
    * @param int $count
    *   Number of watchdog entries to generate.
-   * @param string $type
-   *   (optional) The type of watchdog entry. Defaults to 'custom'.
-   * @param int $severity
-   *   (optional) The severity of the watchdog entry. Defaults to
-   *   \Drupal\Core\Logger\RfcLogLevel::NOTICE.
+   * @param array $options
+   *   These options are used to override the defaults for the test.
+   *   An associative array containing any of the following keys:
+   *   - 'channel': String identifying the log channel to be output to.
+   *     If the channel is not set, the default of 'custom' will be used.
+   *   - 'message': String containing a message to be output to the log.
+   *     A simple default message is used if not provided.
+   *   - 'variables': Array of variables that match the message string.
+   *   - 'severity': Log severity level as defined in logging_severity_levels.
+   *   - 'link': String linking to view the result of the event.
+   *   - 'user': String identifying the username.
+   *   - 'uid': Int identifying the user id for the user.
+   *   - 'request_uri': String identifying the location of the request.
+   *   - 'referer': String identifying the referring url.
+   *   - 'ip': String The ip address of the client machine triggering the log
+   *     entry.
+   *   - 'timestamp': Int unix timestamp.
    */
-  private function generateLogEntries($count, $type = 'custom', $severity = RfcLogLevel::NOTICE) {
+  private function generateLogEntries($count, $options = array()) {
     global $base_root;
 
     // Prepare the fields to be logged
-    $log = array(
-      'channel'     => $type,
-      'message'     => 'Log entry added to test the dblog row limit.',
+    $log = $options + array(
+      'channel'     => 'custom',
+      'message'     => 'Dblog test log message',
       'variables'   => array(),
-      'severity'    => $severity,
+      'severity'    => RfcLogLevel::NOTICE,
       'link'        => NULL,
       'user'        => $this->adminUser,
       'uid'         => $this->adminUser->id(),
@@ -151,11 +167,13 @@ private function generateLogEntries($count, $type = 'custom', $severity = RfcLog
       'referer'     => \Drupal::request()->server->get('HTTP_REFERER'),
       'ip'          => '127.0.0.1',
       'timestamp'   => REQUEST_TIME,
-      );
-    $message = 'Log entry added to test the dblog row limit. Entry #';
+    );
+
+    $logger = $this->container->get('logger.dblog');
+    $message = $log['message'] . ' Entry #';
     for ($i = 0; $i < $count; $i++) {
       $log['message'] = $message . $i;
-      $this->container->get('logger.dblog')->log($severity, $log['message'], $log);
+      $logger->log($log['severity'], $log['message'], $log);
     }
   }
 
@@ -246,6 +264,82 @@ public function verifySort($sort = 'asc', $order = 'Date') {
     $this->assertText(t('Recent log messages'), 'DBLog report was displayed correctly and sorting went fine.');
   }
 
+  /**
+   * Tests the escaping of links in the operation row of a database log detail
+   * page.
+   */
+  private function verifyLinkEscaping() {
+    $link = \Drupal::l('View', Url::fromRoute('entity.node.canonical', array('node' => 1)));
+    $message = 'Log entry added to do the verifyLinkEscaping test.';
+    $this->generateLogEntries(1, array(
+      'message' => $message,
+      'link' => $link,
+    ));
+
+    $result = db_query_range('SELECT wid FROM {watchdog} ORDER BY wid DESC', 0, 1);
+    $this->drupalGet('admin/reports/dblog/event/' . $result->fetchField());
+
+    // Check if the link exists (unescaped).
+    $this->assertRaw($link);
+
+    // Check for XSS filtering.
+    $js_txt = 'This should not pop up!';
+    $js = '<script>alert("' . $js_txt . '");</script>';
+    $this->generateLogEntries(1, array(
+      'message' => $message,
+      'link' => $link . $js,
+    ));
+
+    $result = db_query_range('SELECT wid FROM {watchdog} ORDER BY wid DESC', 0, 1);
+    $this->drupalGet('admin/reports/dblog/event/' . $result->fetchField());
+
+    // Check if the link exists (unescaped).
+    $this->assertRaw($link);
+
+    // Check if javascript was escaped.
+    $this->assertNoRaw($js, 'Detail view: javascript in link is blocked');
+    $this->assertRaw($js_txt, 'Detail view: javascript text exists');
+  }
+
+  /**
+   * Test the escaping of message in the operation row of a database log detail
+   * page.
+   */
+  private function verifyMessageEscaping() {
+    $link = \Drupal::l('View', Url::fromRoute('entity.node.canonical', array('node' => 1)));
+    $message = String::format('%message', array(
+      '%message' => 'Log entry added to do the verifyMessageEscaping test.',
+    ));
+    $this->generateLogEntries(1, array(
+      'message' => $message,
+      'link' => $link,
+    ));
+
+    $result = db_query_range('SELECT wid FROM {watchdog} ORDER BY wid DESC', 0, 1);
+    $this->drupalGet('admin/reports/dblog/event/' . $result->fetchField());
+
+    // Check if the link exists (unescaped).
+    $this->assertRaw($message);
+
+    // Check for XSS filtering.
+    $js_txt = 'This should not pop up!';
+    $js = '<script>alert("' . $js_txt . '");</script>';
+    $this->generateLogEntries(1, array(
+      'message' => $message . $js,
+      'link' => $link,
+    ));
+
+    $result = db_query_range('SELECT wid FROM {watchdog} ORDER BY wid DESC', 0, 1);
+    $this->drupalGet('admin/reports/dblog/event/' . $result->fetchField());
+
+    // Check if the link exists (unescaped).
+    $this->assertRaw($message);
+
+    // Check if javascript was escaped.
+    $this->assertNoRaw($js, 'Detail view: javascript in message is blocked');
+    $this->assertRaw($js_txt, 'Detail view: javascript text exists ');
+  }
+
   /**
    * Generates and then verifies some user events.
    */
@@ -497,7 +591,10 @@ public function testFilter() {
           'type' => $type_name,
           'severity' => $severity++,
         );
-        $this->generateLogEntries($type['count'], $type['type'], $type['severity']);
+        $this->generateLogEntries($type['count'], array(
+          'channel' => $type['type'],
+          'severity' => $type['severity'],
+        ));
       }
     }