diff --git a/core/includes/common.inc b/core/includes/common.inc
index 1ac5b649247ae845b60cbb552987d7724a01ed46..422c79fd7178db6aead13eab8a37987ba1b5eb18 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -2934,9 +2934,10 @@ function _drupal_bootstrap_code() {
   // Set the allowed protocols once we have the config available.
   $allowed_protocols = \Drupal::config('system.filter')->get('protocols');
   if (!isset($allowed_protocols)) {
-    // filter_xss_admin() is called by the installer and update.php, in which
-    // case the configuration may not exist (yet). Provide a minimal default set
-    // of allowed protocols for these cases.
+    // \Drupal\Component\Utility\UrlHelper::filterBadProtocol() is called by the
+    // installer and update.php, in which case the configuration may not exist
+    // (yet). Provide a minimal default set of allowed protocols for these
+    // cases.
     $allowed_protocols = array('http', 'https');
   }
   UrlHelper::setAllowedProtocols($allowed_protocols);
diff --git a/core/includes/errors.inc b/core/includes/errors.inc
index 56c276fdfaa247717b98912fc4b3fd5f714aa9c0..1abcdaaca616301dc609fa47f89e770203aa4e87 100644
--- a/core/includes/errors.inc
+++ b/core/includes/errors.inc
@@ -5,6 +5,7 @@
  * Functions for error handling.
  */
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Utility\Error;
 use Drupal\Component\Utility\String;
 use Symfony\Component\HttpFoundation\Response;
@@ -70,7 +71,7 @@ function _drupal_error_handler_real($error_level, $message, $filename, $line, $c
       '%type' => isset($types[$error_level]) ? $severity_msg : 'Unknown error',
       // The standard PHP error handler considers that the error messages
       // are HTML. We mimick this behavior here.
-      '!message' => filter_xss_admin($message),
+      '!message' => Xss::filterAdmin($message),
       '%function' => $caller['function'],
       '%file' => $caller['file'],
       '%line' => $caller['line'],
diff --git a/core/includes/form.inc b/core/includes/form.inc
index 5b292f53bf88d9c6fd02d689efa1a22b198fe40a..54feee0952db4e274ec727a8e743589f6ed9c3ac 100644
--- a/core/includes/form.inc
+++ b/core/includes/form.inc
@@ -2964,7 +2964,7 @@ function theme_form_element_label($variables) {
     $required = drupal_render($marker);
   }
 
-  $title = filter_xss_admin($element['#title']);
+  $title = Xss::filterAdmin($element['#title']);
 
   $attributes = array();
   // Style the label as class option to display inline with the element.
@@ -3062,9 +3062,10 @@ function _form_set_attributes(&$element, $class = array()) {
  * Note: if the batch 'title', 'init_message', 'progress_message', or
  * 'error_message' could contain any user input, it is the responsibility of
  * the code calling batch_set() to sanitize them first with a function like
- * \Drupal\Component\Utility\String::checkPlain() or filter_xss(). Furthermore,
- * if the batch operation returns any user input in the 'results' or 'message'
- * keys of $context, it must also sanitize them first.
+ * \Drupal\Component\Utility\String::checkPlain() or
+ * \Drupal\Component\Utility\Xss::filter(). Furthermore, if the batch operation
+ * returns any user input in the 'results' or 'message' keys of $context, it
+ * must also sanitize them first.
  *
  * Sample callback_batch_operation():
  * @code
diff --git a/core/includes/theme.inc b/core/includes/theme.inc
index ed5bd5846b5d0738e3a776c03367a3c23ccba89c..dec14f48ab1d9c2c2120e8945a2fb65155fdad63 100644
--- a/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -10,6 +10,7 @@
 
 use Drupal\Component\Utility\String;
 use Drupal\Component\Utility\UrlHelper;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Config\Config;
 use Drupal\Core\Language\Language;
 use Drupal\Core\Extension\Extension;
@@ -2001,7 +2002,7 @@ function template_preprocess_html(&$variables) {
   else {
     $head_title = array('name' => String::checkPlain($site_config->get('name')));
     if ($site_config->get('slogan')) {
-      $head_title['slogan'] = strip_tags(filter_xss_admin($site_config->get('slogan')));
+      $head_title['slogan'] = strip_tags(Xss::filterAdmin($site_config->get('slogan')));
     }
   }
 
@@ -2097,7 +2098,7 @@ function template_preprocess_page(&$variables) {
   $variables['secondary_menu']    = theme_get_setting('features.secondary_menu') ? menu_secondary_menu() : array();
   $variables['action_links']      = menu_get_local_actions();
   $variables['site_name']         = (theme_get_setting('features.name') ? String::checkPlain($site_config->get('name')) : '');
-  $variables['site_slogan']       = (theme_get_setting('features.slogan') ? filter_xss_admin($site_config->get('slogan')) : '');
+  $variables['site_slogan']       = (theme_get_setting('features.slogan') ? Xss::filterAdmin($site_config->get('slogan')) : '');
   $variables['tabs']              = menu_local_tabs();
 
   // Pass the main menu and secondary menu to the template as render arrays.
@@ -2287,7 +2288,7 @@ function template_preprocess_maintenance_page(&$variables) {
   else {
     $head_title = array('name' => String::checkPlain($site_name));
     if ($site_slogan) {
-      $head_title['slogan'] = strip_tags(filter_xss_admin($site_slogan));
+      $head_title['slogan'] = strip_tags(Xss::filterAdmin($site_slogan));
     }
   }
 
@@ -2309,7 +2310,7 @@ function template_preprocess_maintenance_page(&$variables) {
   $variables['language']          = $language_interface;
   $variables['logo']              = theme_get_setting('logo.url');
   $variables['site_name']         = (theme_get_setting('features.name') ? String::checkPlain($site_name) : '');
-  $variables['site_slogan']       = (theme_get_setting('features.slogan') ? filter_xss_admin($site_slogan) : '');
+  $variables['site_slogan']       = (theme_get_setting('features.slogan') ? Xss::filterAdmin($site_slogan) : '');
 
   // Compile a list of classes that are going to be applied to the body element.
   $variables['attributes']['class'][] = 'maintenance-page';
diff --git a/core/lib/Drupal/Component/Utility/String.php b/core/lib/Drupal/Component/Utility/String.php
index cd546ce0a1a401f75a89e0005b1623754b2579dd..9796a5fc018344e5ac7531e81e05fae34f97a2fc 100644
--- a/core/lib/Drupal/Component/Utility/String.php
+++ b/core/lib/Drupal/Component/Utility/String.php
@@ -79,7 +79,8 @@ public static function decodeEntities($text) {
    *     this for text that has already been prepared for HTML display (for
    *     example, user-supplied text that has already been run through
    *     String::checkPlain() previously, or is expected to contain some limited
-   *     HTML tags and has already been run through filter_xss() previously).
+   *     HTML tags and has already been run through
+   *     \Drupal\Component\Utility\Xss::filter() previously).
    *
    * @return mixed
    *   The formatted string, or FALSE if no args specified.
diff --git a/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
index 93bfb42f5eb0a23ca6755951ad1837dea8fc5206..7c5db6e771d30549f4f00659f096ee51032dcabb 100644
--- a/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/MaintenanceModeSubscriber.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\Core\EventSubscriber;
 
+use Drupal\Component\Utility\Xss;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\KernelEvents;
@@ -47,7 +48,7 @@ public function onKernelRequestMaintenance(GetResponseEvent $event) {
       $maintenance_page = array(
         '#theme' => 'maintenance_page',
         '#title' => t('Site under maintenance'),
-        '#content' => filter_xss_admin(
+        '#content' => Xss::filterAdmin(
           t(\Drupal::config('system.maintenance')->get('message'), array('@site' => \Drupal::config('system.site')->get('name')))
         ),
       );
diff --git a/core/lib/Drupal/Core/Utility/Token.php b/core/lib/Drupal/Core/Utility/Token.php
index e612de858256b448fc2232f38e3468aacf975641..27a451919f7610766d50bafb09af46d6aa81d23d 100644
--- a/core/lib/Drupal/Core/Utility/Token.php
+++ b/core/lib/Drupal/Core/Utility/Token.php
@@ -107,9 +107,10 @@ public function __construct(ModuleHandlerInterface $module_handler) {
    *     final text if no replacement value can be generated.
    *   - sanitize: A boolean flag indicating that tokens should be sanitized for
    *     display to a web browser. Defaults to TRUE. Developers who set this
-   *     option to FALSE assume responsibility for running filter_xss(),
-   *     String::checkPlain() or other appropriate scrubbing functions before
-   *     displaying data to users.
+   *     option to FALSE assume responsibility for running
+   *     \Drupal\Component\Utility\Xss::filter(),
+   *     \Drupal\Component\Utility\String::checkPlain() or other appropriate
+   *     scrubbing functions before displaying data to users.
    *
    * @return string
    *   Text with tokens replaced.
@@ -200,8 +201,9 @@ public function scan($text) {
    *     encoding or truncation to a specific length.
    *   - sanitize: A boolean flag indicating that tokens should be sanitized for
    *     display to a web browser. Developers who set this option to FALSE assume
-   *     responsibility for running filter_xss(), String::checkPlain() or other
-   *     appropriate scrubbing functions before displaying data to users.
+   *     responsibility for running \Drupal\Component\Utility\Xss::filter(),
+   *     \Drupal\Component\Utility\String::checkPlain() or other appropriate
+   *     scrubbing functions before displaying data to users.
    *
    * @return array
    *   An associative array of replacement values, keyed by the original 'raw'
diff --git a/core/modules/aggregator/aggregator.module b/core/modules/aggregator/aggregator.module
index 46957aa9f21da7947455d51ddf8abb9468baf905..47f217384329705c48ae9dc7fed0685e8c9708df 100644
--- a/core/modules/aggregator/aggregator.module
+++ b/core/modules/aggregator/aggregator.module
@@ -6,6 +6,7 @@
  */
 
 use Drupal\aggregator\FeedInterface;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Denotes that a feed's items should never expire.
@@ -171,7 +172,7 @@ function aggregator_feed_load($fid) {
  *   The filtered content.
  */
 function aggregator_filter_xss($value) {
-  return filter_xss($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
+  return Xss::filter($value, preg_split('/\s+|<|>/', \Drupal::config('aggregator.settings')->get('items.allowed_html'), -1, PREG_SPLIT_NO_EMPTY));
 }
 
 /**
diff --git a/core/modules/block/custom_block/custom_block.pages.inc b/core/modules/block/custom_block/custom_block.pages.inc
index 4cca4cc71601314e16e2d4dfe7e9a93924a73252..f24e16b057909526e3da72b23195f8f0b877a6f3 100644
--- a/core/modules/block/custom_block/custom_block.pages.inc
+++ b/core/modules/block/custom_block/custom_block.pages.inc
@@ -5,6 +5,7 @@
  * Provides page callbacks for custom blocks.
  */
 
+use Drupal\Component\Utility\Xss;
 use Drupal\custom_block\Entity\CustomBlockType;
 use Drupal\custom_block\Entity\CustomBlock;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -26,7 +27,7 @@ function template_preprocess_custom_block_add_list(&$variables) {
   foreach ($variables['content'] as $type) {
     $variables['types'][$type->id()] = array(
       'link' => \Drupal::l($type->label(), 'custom_block.add_form', array('custom_block_type' => $type->id()), array('query' => $query)),
-      'description' => filter_xss_admin($type->description),
+      'description' => Xss::filterAdmin($type->description),
       'title' => $type->label(),
       'localized_options' => array(
         'query' => $query,
diff --git a/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php b/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php
index 1c09e9f72c30579c31e8f2aa9596077e489cd981..8c84de45bf31da31279b9d67ecd6e373071b5e5c 100644
--- a/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php
+++ b/core/modules/block/custom_block/lib/Drupal/custom_block/CustomBlockTypeListBuilder.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\custom_block;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
 use Drupal\Core\Entity\EntityInterface;
 
@@ -44,7 +45,7 @@ public function buildHeader() {
    */
   public function buildRow(EntityInterface $entity) {
     $row['type'] = \Drupal::linkGenerator()->generateFromUrl($entity->label(), $entity->urlInfo());
-    $row['description'] = filter_xss_admin($entity->description);
+    $row['description'] = Xss::filterAdmin($entity->description);
     return $row + parent::buildRow($entity);
   }
 
diff --git a/core/modules/comment/comment.tokens.inc b/core/modules/comment/comment.tokens.inc
index b58230a12e4518588908c83988c774cbc03d61c2..f38f98b7a340c5cab8853b84ca28a1def6f4161a 100644
--- a/core/modules/comment/comment.tokens.inc
+++ b/core/modules/comment/comment.tokens.inc
@@ -5,6 +5,8 @@
  * Builds placeholder replacement tokens for comment-related data.
  */
 
+use Drupal\Component\Utility\Xss;
+
 /**
  * Implements hook_token_info().
  */
@@ -152,7 +154,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
           break;
 
         case 'title':
-          $replacements[$original] = $sanitize ? filter_xss($comment->getSubject()) : $comment->getSubject();
+          $replacements[$original] = $sanitize ? Xss::filter($comment->getSubject()) : $comment->getSubject();
           break;
 
         case 'body':
@@ -175,13 +177,13 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
         case 'name':
         case 'author':
           $name = $comment->getAuthorName();
-          $replacements[$original] = $sanitize ? filter_xss($name) : $name;
+          $replacements[$original] = $sanitize ? Xss::filter($name) : $name;
           break;
 
         case 'parent':
           if ($comment->hasParentComment()) {
             $parent = $comment->getParentComment();
-            $replacements[$original] = $sanitize ? filter_xss($parent->getSubject()) : $parent->getSubject();
+            $replacements[$original] = $sanitize ? Xss::filter($parent->getSubject()) : $parent->getSubject();
           }
           break;
 
@@ -196,7 +198,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
         case 'entity':
           $entity = $comment->getCommentedEntity();
           $title = $entity->label();
-          $replacements[$original] = $sanitize ? filter_xss($title) : $title;
+          $replacements[$original] = $sanitize ? Xss::filter($title) : $title;
           break;
 
         case 'node':
@@ -206,7 +208,7 @@ function comment_tokens($type, $tokens, array $data = array(), array $options =
           if ($comment->getCommentedEntityTypeId() == 'node') {
             $entity = $comment->getCommentedEntity();
             $title = $entity->label();
-            $replacements[$original] = $sanitize ? filter_xss($title) : $title;
+            $replacements[$original] = $sanitize ? Xss::filter($title) : $title;
           }
           else {
             $replacements[$original] = NULL;
diff --git a/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php b/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php
index bd300fc83877ef04f01964251273f69b8760a160..0d2a4b2ee86a1debf772ce64af505148c9999978 100644
--- a/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php
+++ b/core/modules/comment/lib/Drupal/comment/Tests/CommentTokenReplaceTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\comment\Tests;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Language\Language;
 
 /**
@@ -54,11 +55,11 @@ function testCommentTokenReplacement() {
     $tests = array();
     $tests['[comment:cid]'] = $comment->id();
     $tests['[comment:hostname]'] = check_plain($comment->getHostname());
-    $tests['[comment:name]'] = filter_xss($comment->getAuthorName());
-    $tests['[comment:author]'] = filter_xss($comment->getAuthorName());
+    $tests['[comment:name]'] = Xss::filter($comment->getAuthorName());
+    $tests['[comment:author]'] = Xss::filter($comment->getAuthorName());
     $tests['[comment:mail]'] = check_plain($this->admin_user->getEmail());
     $tests['[comment:homepage]'] = check_url($comment->getHomepage());
-    $tests['[comment:title]'] = filter_xss($comment->getSubject());
+    $tests['[comment:title]'] = Xss::filter($comment->getSubject());
     $tests['[comment:body]'] = $comment->comment_body->processed;
     $tests['[comment:url]'] = url('comment/' . $comment->id(), $url_options + array('fragment' => 'comment-' . $comment->id()));
     $tests['[comment:edit-url]'] = url('comment/' . $comment->id() . '/edit', $url_options);
diff --git a/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php b/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php
index d891bfe406ef8231611bae12e7cac17fb4969877..72ddf22b13423b65691c7630f701e2bda04c696b 100644
--- a/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php
+++ b/core/modules/dblog/lib/Drupal/dblog/Controller/DbLogController.php
@@ -181,7 +181,7 @@ public function overview() {
         }
         if (isset($dblog->wid)) {
           // Truncate link_text to 56 chars of message.
-          $log_text = Unicode::truncate(filter_xss($message, array()), 56, TRUE, TRUE);
+          $log_text = Unicode::truncate(Xss::filter($message, array()), 56, TRUE, TRUE);
           $message = $this->l($log_text, 'dblog.event',  array('event_id' => $dblog->wid), array('html' => TRUE));
         }
       }
diff --git a/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php b/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php
index 24add00d4259f8d8c3791f856a8c3c73bd1f9729..850b6e14eb827208382950b22a59bd63bb9095b2 100644
--- a/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php
+++ b/core/modules/dblog/lib/Drupal/dblog/Tests/DbLogTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\dblog\Tests;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Language\Language;
 use Drupal\dblog\Controller\DbLogController;
 use Drupal\simpletest\WebTestBase;
@@ -264,7 +265,7 @@ private function doUser() {
     $this->assertLogMessage(t('Session closed for %name.', array('%name' => $name)), 'DBLog event was recorded: [logout user]');
     // Delete user.
     $message = t('Deleted user: %name %email.', array('%name' => $name, '%email' => '<' . $user->getEmail() . '>'));
-    $message_text = truncate_utf8(filter_xss($message, array()), 56, TRUE, TRUE);
+    $message_text = truncate_utf8(Xss::filter($message, array()), 56, TRUE, TRUE);
     // Verify that the full message displays on the details page.
     $link = FALSE;
     if ($links = $this->xpath('//a[text()="' . html_entity_decode($message_text) . '"]')) {
@@ -613,10 +614,10 @@ protected function asText(\SimpleXMLElement $element) {
    *   The message to pass to simpletest.
    */
   protected function assertLogMessage($log_message, $message) {
-    $message_text = truncate_utf8(filter_xss($log_message, array()), 56, TRUE, TRUE);
-    // After filter_xss(), HTML entities should be converted to their character
-    // equivalents because assertLink() uses this string in xpath() to query the
-    // Document Object Model (DOM).
+    $message_text = truncate_utf8(Xss::filter($log_message, array()), 56, TRUE, TRUE);
+    // After \Drupal\Component\Utility\Xss::filter(), HTML entities should be
+    // converted to their character equivalents because assertLink() uses this
+    // string in xpath() to query the Document Object Model (DOM).
     $this->assertLink(html_entity_decode($message_text), 0, $message);
   }
 }
diff --git a/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php b/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php
index 8b2987c289a34d04e6e56f0633244cb7ab017b9a..818cfd3afcf32e6eeaf7e923ab4e43c49baa62fe 100644
--- a/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php
+++ b/core/modules/dblog/lib/Drupal/dblog/Tests/Views/ViewsIntegrationTest.php
@@ -77,7 +77,8 @@ public function testIntegration() {
     $entries[] = array(
       'message' => '@token1 !token2',
       'variables' => array('@token1' => $this->randomName(), '!token2' => $this->randomName()),
-      // Setup a link with a tag which is filtered by filter_xss_admin.
+      // Setup a link with a tag which is filtered by
+      // \Drupal\Component\Utility\Xss::filterAdmin().
       'link' => l('<object>Link</object>', 'node/2', array('html' => TRUE)),
     );
     foreach ($entries as $entry) {
diff --git a/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php b/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php
index 3f9386342c9c042d3e3328e7f7f7dd8e42a40c5e..84197805b99c1be50e7fc4d14c376c31e8ffded6 100644
--- a/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php
+++ b/core/modules/editor/lib/Drupal/editor/EditorXssFilter/Standard.php
@@ -25,8 +25,8 @@ public static function filterXss($html, FilterFormatInterface $format, FilterFor
     // The <script> and <style> tags are blacklisted because their contents
     // can be malicious (and therefor they are inherently unsafe), whereas for
     // all other tags, only their attributes can make them malicious. Since
-    // Xss::filter() protects against malicious attributes, we take no
-    // blacklisting action.
+    // \Drupal\Component\Utility\Xss::filter() protects against malicious
+    // attributes, we take no blacklisting action.
     // The exceptions to the above rule are <link>, <embed> and <object>:
     // - <link> because the href attribute allows the attacker to import CSS
     //   using the HTTP(S) protocols which Xss::filter() considers safe by
diff --git a/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php b/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php
index 03fdf24f163442dd23dd4edcfa193f32b32cbcb0..37a446b91c0cdb0516bb74bface10f88e1409193 100644
--- a/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php
+++ b/core/modules/entity_reference/lib/Drupal/entity_reference/Plugin/views/style/EntityReference.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\entity_reference\Plugin\views\style;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\views\Plugin\views\style\StylePluginBase;
 
 /**
@@ -92,7 +93,7 @@ public function render() {
         // Sanitize HTML, remove line breaks and extra whitespace.
         $output = $this->view->rowPlugin->render($values);
         $output = drupal_render($output);
-        $results[$values->{$id_field_alias}] = filter_xss_admin(preg_replace('/\s\s+/', ' ', str_replace("\n", '', $output)));
+        $results[$values->{$id_field_alias}] = Xss::filterAdmin(preg_replace('/\s\s+/', ' ', str_replace("\n", '', $output)));
         $this->view->row_index++;
       }
     }
diff --git a/core/modules/field/field.module b/core/modules/field/field.module
index db35e40e044bdca6c1d49bf75e77cd3d8a4d7563..4c73352f6290c04a2f5b6c8f392a5c23bf955653 100644
--- a/core/modules/field/field.module
+++ b/core/modules/field/field.module
@@ -266,7 +266,8 @@ function field_cache_clear() {
 /**
  * Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.
  *
- * Like filter_xss_admin(), but with a shorter list of allowed tags.
+ * Like \Drupal\Component\Utility\Xss::filterAdmin(), but with a shorter list
+ * of allowed tags.
  *
  * Used for items entered by administrators, like field descriptions, allowed
  * values, where some (mainly inline) mark-up may be desired (so
diff --git a/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php b/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php
index 1b10358d860d9f2ed6099c0e106bd6fff0426428..8efdbbd8ec24d9c89d931faf094d5545189a81e1 100644
--- a/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php
+++ b/core/modules/field/lib/Drupal/field/Plugin/views/field/Field.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\field\Plugin\views\field;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Entity\EntityManagerInterface;
 use Drupal\Core\Entity\EntityStorageInterface;
@@ -650,7 +651,7 @@ protected function renderItems($items) {
       }
 
       if ($this->options['multi_type'] == 'separator') {
-        return implode(filter_xss_admin($this->options['separator']), $items);
+        return implode(Xss::filterAdmin($this->options['separator']), $items);
       }
       else {
         $item_list = array(
@@ -834,8 +835,9 @@ protected function documentSelfTokens(&$tokens) {
   protected function addSelfTokens(&$tokens, $item) {
     $field = $this->field_info;
     foreach ($field->getColumns() as $id => $column) {
-      // Use filter_xss_admin because it's user data and we can't be sure it is safe.
-      // We know nothing about the data, though, so we can't really do much else.
+      // Use \Drupal\Component\Utility\Xss::filterAdmin() because it's user data
+      // and we can't be sure it is safe. We know nothing about the data,
+      // though, so we can't really do much else.
 
       if (isset($item['raw'])) {
         // If $item['raw'] is an array then we can use as is, if it's an object
@@ -844,7 +846,7 @@ protected function addSelfTokens(&$tokens, $item) {
                (is_object($item['raw']) ? (array)$item['raw'] : NULL);
       }
       if (isset($raw) && isset($raw[$id]) && is_scalar($raw[$id])) {
-        $tokens['[' . $this->options['id'] . '-' . $id . ']'] = filter_xss_admin($raw[$id]);
+        $tokens['[' . $this->options['id'] . '-' . $id . ']'] = Xss::filterAdmin($raw[$id]);
       }
       else {
         // Make sure that empty values are replaced as well.
diff --git a/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php b/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php
index cf439660ce444cb8920859bdea1bc4ccae1bc3c4..5f77d92afc5014c9a3571513baaaaecaf206958e 100644
--- a/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php
+++ b/core/modules/field/lib/Drupal/field/Tests/FieldUnitTestBase.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\field\Tests;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Core\Language\Language;
 use Drupal\simpletest\DrupalUnitTestBase;
@@ -235,7 +236,7 @@ protected function assertText($text, $message = '', $group = 'Other') {
     if (!$message) {
       $message = t('Raw "@raw" found', array('@raw' => $text));
     }
-    return $this->assert(strpos(filter_xss($this->content, array()), $text) !== FALSE, $message, $group);
+    return $this->assert(strpos(Xss::filter($this->content, array()), $text) !== FALSE, $message, $group);
   }
 
   /**
@@ -260,6 +261,6 @@ protected function assertNoText($text, $message = '', $group = 'Other') {
     if (!$message) {
       $message = t('Raw "@raw" not found', array('@raw' => $text));
     }
-    return $this->assert(strpos(filter_xss($this->content, array()), $text) === FALSE, $message, $group);
+    return $this->assert(strpos(Xss::filter($this->content, array()), $text) === FALSE, $message, $group);
   }
 }
diff --git a/core/modules/filter/filter.module b/core/modules/filter/filter.module
index 73aec622752da6c8d87755206318fdd226ac1ffa..2e71d68b775238b4fe89a246956acc64f91a1896 100644
--- a/core/modules/filter/filter.module
+++ b/core/modules/filter/filter.module
@@ -7,6 +7,7 @@
 
 use Drupal\Component\Utility\Html;
 use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Cache\Cache;
 use Drupal\Core\Language\Language;
 use Drupal\Core\Render\Element;
@@ -728,7 +729,7 @@ function template_preprocess_filter_tips(&$variables) {
  */
 function _filter_html($text, $filter) {
   $allowed_tags = preg_split('/\s+|<|>/', $filter->settings['allowed_html'], -1, PREG_SPLIT_NO_EMPTY);
-  $text = filter_xss($text, $allowed_tags);
+  $text = Xss::filter($text, $allowed_tags);
 
   if ($filter->settings['filter_html_nofollow']) {
     $html_dom = Html::load($text);
@@ -772,7 +773,7 @@ function _filter_url($text, $filter) {
   // the identical list. While '//' is technically optional for MAILTO only,
   // we cannot cleanly differ between protocols here without hard-coding MAILTO,
   // so '//' is optional for all protocols.
-  // @see filter_xss_bad_protocol()
+  // @see \Drupal\Component\Utility\UrlHelper::filterBadProtocol()
   $protocols = \Drupal::config('system.filter')->get('protocols');
   $protocols = implode(':(?://)?|', $protocols) . ':(?://)?';
 
diff --git a/core/modules/forum/forum.module b/core/modules/forum/forum.module
index f01509b9244be9e930959539c1c516c815465eb1..5facc3c855316e4f01aa8731c52c19dfeb051145 100644
--- a/core/modules/forum/forum.module
+++ b/core/modules/forum/forum.module
@@ -6,6 +6,7 @@
  */
 
 use Drupal\comment\Plugin\Field\FieldType\CommentItemInterface;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Entity\EntityInterface;
 use Drupal\Component\Utility\String;
 use Drupal\field\Field;
@@ -709,7 +710,7 @@ function template_preprocess_forum_list(&$variables) {
   $row = 0;
   // Sanitize each forum so that the template can safely print the data.
   foreach ($variables['forums'] as $id => $forum) {
-    $variables['forums'][$id]->description = filter_xss_admin($forum->description->value);
+    $variables['forums'][$id]->description = Xss::filterAdmin($forum->description->value);
     $variables['forums'][$id]->link = url("forum/" . $forum->id());
     $variables['forums'][$id]->name = String::checkPlain($forum->label());
     $variables['forums'][$id]->is_container = !empty($forum->forum_container->value);
diff --git a/core/modules/locale/locale.module b/core/modules/locale/locale.module
index 59b3be0a2d995340ae1bdd3703c80cd2ca87abb0..881ca9a65f7c1af985f9b776ac5e1f083fe0f96a 100644
--- a/core/modules/locale/locale.module
+++ b/core/modules/locale/locale.module
@@ -11,6 +11,7 @@
  */
 
 use Drupal\Component\Utility\Json;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Cache\Cache;
 use Drupal\Core\Language\Language;
 use Drupal\language\Entity\Language as LanguageEntity;
@@ -1035,15 +1036,16 @@ function locale_translation_use_remote_source() {
  * not have any false positives. But it is only a test, not a transformation,
  * as it destroys valid HTML. We cannot reliably filter translation strings
  * on import because some strings are irreversibly corrupted. For example,
- * a &amp; in the translation would get encoded to &amp;amp; by filter_xss()
- * before being put in the database, and thus would be displayed incorrectly.
+ * a &amp; in the translation would get encoded to &amp;amp; by
+ * \Drupal\Component\Utility\Xss::filter() before being put in the database,
+ * and thus would be displayed incorrectly.
  *
- * The allowed tag list is like filter_xss_admin(), but omitting div and img as
- * not needed for translation and likely to cause layout issues (div) or a
- * possible attack vector (img).
+ * The allowed tag list is like \Drupal\Component\Utility\Xss::filterAdmin(),
+ * but omitting div and img as not needed for translation and likely to cause
+ * layout issues (div) or a possible attack vector (img).
  */
 function locale_string_is_safe($string) {
-  return decode_entities($string) == decode_entities(filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
+  return decode_entities($string) == decode_entities(Xss::filter($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var')));
 }
 
 /**
diff --git a/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php b/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php
index 31f5db447be9b19bf660f7e17facc9ca12f13840..b1ff07ea82a3689d9364de44e646bd9cadf3e629 100644
--- a/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php
+++ b/core/modules/menu/lib/Drupal/menu/MenuListBuilder.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\menu;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Config\Entity\ConfigEntityListBuilder;
 use Drupal\Core\Entity\EntityInterface;
 
@@ -38,7 +39,7 @@ public function buildRow(EntityInterface $entity) {
       'data' => $this->getLabel($entity),
       'class' => array('menu-label'),
     );
-    $row['description'] = filter_xss_admin($entity->description);
+    $row['description'] = Xss::filterAdmin($entity->description);
     return $row + parent::buildRow($entity);
   }
 
diff --git a/core/modules/node/node.module b/core/modules/node/node.module
index b05fc2c2586cb2d6a178ebe2b213ee5b73df3b4a..d7939757489d69e99225fa25913ec6ba913e8083 100644
--- a/core/modules/node/node.module
+++ b/core/modules/node/node.module
@@ -8,6 +8,7 @@
  * API pattern.
  */
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Language\Language;
 use Drupal\Core\Render\Element;
 use Drupal\Core\Url;
@@ -137,12 +138,12 @@ function node_help($path, $arg) {
     case 'node/%/edit':
       $node = node_load($arg[1]);
       $type = node_type_load($node->bundle());
-      return (!empty($type->help) ? filter_xss_admin($type->help) : '');
+      return (!empty($type->help) ? Xss::filterAdmin($type->help) : '');
   }
 
   if ($arg[0] == 'node' && $arg[1] == 'add' && $arg[2]) {
     $type = node_type_load($arg[2]);
-    return (!empty($type->help) ? filter_xss_admin($type->help) : '');
+    return (!empty($type->help) ? Xss::filterAdmin($type->help) : '');
   }
 }
 
diff --git a/core/modules/node/node.pages.inc b/core/modules/node/node.pages.inc
index fe5b0c15bdf601f154cfe338df3e1239a73bcc20..94f29bcdb68eeb7a7511f0500336c83e923f04ea 100644
--- a/core/modules/node/node.pages.inc
+++ b/core/modules/node/node.pages.inc
@@ -9,6 +9,7 @@
  * @see node_menu()
  */
 
+use Drupal\Component\Utility\Xss;
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Drupal\node\NodeInterface;
 
@@ -30,7 +31,7 @@ function template_preprocess_node_add_list(&$variables) {
       $variables['types'][$type->type] = array(
         'type' => $type->type,
         'add_link' => l($type->name, 'node/add/' . $type->type),
-        'description' => filter_xss_admin($type->description),
+        'description' => Xss::filterAdmin($type->description),
       );
     }
   }
@@ -141,7 +142,7 @@ function node_revision_overview($node) {
         '#account' => user_load($revision->uid),
       );
       $row[] = array('data' => t('!date by !username', array('!date' => l(format_date($revision->revision_timestamp, 'short'), 'node/' . $node->id()), '!username' => drupal_render($username)))
-                               . (($revision->log != '') ? '<p class="revision-log">' . filter_xss($revision->log) . '</p>' : ''),
+                               . (($revision->log != '') ? '<p class="revision-log">' . Xss::filter($revision->log) . '</p>' : ''),
                      'class' => array('revision-current'));
       $row[] = array('data' => drupal_placeholder(t('current revision')), 'class' => array('revision-current'));
     }
@@ -151,7 +152,7 @@ function node_revision_overview($node) {
         '#account' => user_load($revision->uid),
       );
       $row[] = t('!date by !username', array('!date' => l(format_date($revision->revision_timestamp, 'short'), "node/" . $node->id() . "/revisions/" . $revision->vid . "/view"), '!username' => drupal_render($username)))
-               . (($revision->log != '') ? '<p class="revision-log">' . filter_xss($revision->log) . '</p>' : '');
+               . (($revision->log != '') ? '<p class="revision-log">' . Xss::filter($revision->log) . '</p>' : '');
       if ($revert_permission) {
         $links['revert'] = array(
           'title' => t('Revert'),
diff --git a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php
index 61c54d1348fe9423ef39dbfcfbeaa857cacfc918..33833911cdaffea5ef3b02677eda7ad8fef8d56f 100644
--- a/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php
+++ b/core/modules/simpletest/lib/Drupal/simpletest/WebTestBase.php
@@ -11,6 +11,7 @@
 use Drupal\Component\Utility\Json;
 use Drupal\Component\Utility\NestedArray;
 use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\DrupalKernel;
 use Drupal\Core\Database\Database;
 use Drupal\Core\Database\ConnectionNotDefinedException;
@@ -2766,7 +2767,7 @@ protected function assertNoText($text, $message = '', $group = 'Other') {
    */
   protected function assertTextHelper($text, $message = '', $group, $not_exists) {
     if ($this->plainTextContent === FALSE) {
-      $this->plainTextContent = filter_xss($this->drupalGetContent(), array());
+      $this->plainTextContent = Xss::filter($this->drupalGetContent(), array());
     }
     if (!$message) {
       $message = !$not_exists ? String::format('"@text" found', array('@text' => $text)) : String::format('"@text" not found', array('@text' => $text));
@@ -2851,7 +2852,7 @@ protected function assertNoUniqueText($text, $message = '', $group = 'Other') {
    */
   protected function assertUniqueTextHelper($text, $message = '', $group, $be_unique) {
     if ($this->plainTextContent === FALSE) {
-      $this->plainTextContent = filter_xss($this->drupalGetContent(), array());
+      $this->plainTextContent = Xss::filter($this->drupalGetContent(), array());
     }
     if (!$message) {
       $message = '"' . $text . '"' . ($be_unique ? ' found only once' : ' found more than once');
diff --git a/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php b/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
index 2b1d696880919ab5df3259c466f65d485439dcef..d54cc74ffb727cff3b217b6c640abc5ea5c02a22 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Common/XssUnitTest.php
@@ -11,7 +11,7 @@
 use Drupal\simpletest\DrupalUnitTestBase;
 
 /**
- * Tests for filter_xss() and check_url().
+ * Tests for \Drupal\Component\Utility\Xss::filter() and check_url().
  */
 class XssUnitTest extends DrupalUnitTestBase {
 
@@ -25,7 +25,7 @@ class XssUnitTest extends DrupalUnitTestBase {
   public static function getInfo() {
     return array(
       'name' => 'String filtering tests',
-      'description' => 'Confirm that filter_xss() and check_url() work correctly, including invalid multi-byte sequences.',
+      'description' => 'Confirm that \Drupal\Component\Utility\Xss::filter() and check_url() work correctly, including invalid multi-byte sequences.',
       'group' => 'Common',
     );
   }
diff --git a/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php b/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php
index 70d9b5e6339d03080374c0e5721cb68ffe56a004..4c7f520356711593685594d6e73b1040fcacc432 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Form/AlterTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\system\Tests\Form;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\simpletest\WebTestBase;
 
 /**
@@ -42,7 +43,7 @@ function testExecutionOrder() {
       'form_test_form_form_test_alter_form_alter() executed.',
       'system_form_form_test_alter_form_alter() executed.',
     );
-    $content = preg_replace('/\s+/', ' ', filter_xss($this->content, array()));
+    $content = preg_replace('/\s+/', ' ', Xss::filter($this->content, array()));
     $this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Form alter hooks executed in the expected order.');
   }
 }
diff --git a/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php b/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php
index fdc511a5abb5aa651c0e28af4785e97ed26fdf48..a944f2f0d76ee729dc79587b0c0c70614ec4ac75 100644
--- a/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/System/PageTitleTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\system\Tests\System;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Utility\Title;
 use Drupal\simpletest\WebTestBase;
 
@@ -73,7 +74,7 @@ function testTitleXSS() {
     $title_filtered = check_plain($title);
 
     $slogan = '<script type="text/javascript">alert("Slogan XSS!");</script>';
-    $slogan_filtered = filter_xss_admin($slogan);
+    $slogan_filtered = Xss::filterAdmin($slogan);
 
     // Activate needed appearance settings.
     $edit = array(
diff --git a/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php b/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php
index a987e1f61e62f43ff44f7b8875b1e71cbe5ec7fb..202ddd2a44bf45d42b6ffda14f58728d7166fea7 100644
--- a/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/Theme/ThemeSuggestionsAlterTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\system\Tests\Theme;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\simpletest\WebTestBase;
 
 /**
@@ -182,7 +183,7 @@ function testExecutionOrder() {
       'test_theme_theme_suggestions_alter() executed.',
       'test_theme_theme_suggestions_theme_test_suggestions_alter() executed.',
     );
-    $content = preg_replace('/\s+/', ' ', filter_xss($this->content, array()));
+    $content = preg_replace('/\s+/', ' ', Xss::filter($this->content, array()));
     $this->assert(strpos($content, implode(' ', $expected)) !== FALSE, 'Suggestion alter hooks executed in the expected order.');
   }
 
diff --git a/core/modules/system/system.admin.inc b/core/modules/system/system.admin.inc
index 84e74c092a91dbbe2dee247d7f2a453f54b75764..52998dee4364e6f2ce2aae8085f585c93f444c3f 100644
--- a/core/modules/system/system.admin.inc
+++ b/core/modules/system/system.admin.inc
@@ -5,6 +5,7 @@
  * Admin page callbacks for the system module.
  */
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Cache\Cache;
 use Drupal\Core\Extension\Extension;
 use Drupal\Core\Render\Element;
@@ -105,7 +106,7 @@ function template_preprocess_admin_block_content(&$variables) {
     foreach ($variables['content'] as $key => $item) {
       $variables['content'][$key]['link'] = l($item['title'], $item['link_path'], $item['localized_options']);
       if (!$compact && isset($item['description'])) {
-        $variables['content'][$key]['description'] = filter_xss_admin($item['description']);
+        $variables['content'][$key]['description'] = Xss::filterAdmin($item['description']);
       }
       else {
         $variables['content'][$key]['description'] = FALSE;
diff --git a/core/modules/system/system.tokens.inc b/core/modules/system/system.tokens.inc
index 4c27e2cc806a12c4ed540f16b951f13468c89afd..3750ff217ef92033e1859bd487f9a9334e73001d 100644
--- a/core/modules/system/system.tokens.inc
+++ b/core/modules/system/system.tokens.inc
@@ -7,6 +7,8 @@
  * This file handles tokens for the global 'site' and 'date' tokens.
  */
 
+use Drupal\Component\Utility\Xss;
+
 /**
  * Implements hook_token_info().
  */
@@ -109,7 +111,7 @@ function system_tokens($type, $tokens, array $data = array(), array $options = a
 
         case 'slogan':
           $slogan = \Drupal::config('system.site')->get('slogan');
-          $replacements[$original] = $sanitize ? filter_xss_admin($slogan) : $slogan;
+          $replacements[$original] = $sanitize ? Xss::filterAdmin($slogan) : $slogan;
           break;
 
         case 'mail':
diff --git a/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php b/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php
index 18cbdd8af15e24e39ed883c35c16c7264448ee21..a09cbc24e107d5e1db1ed7fe67d099e995ff4946 100644
--- a/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php
+++ b/core/modules/taxonomy/lib/Drupal/taxonomy/Tests/TokenReplaceTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\taxonomy\Tests;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Field\FieldDefinitionInterface;
 use Drupal\Core\Language\Language;
 use Drupal\Component\Utility\String;
@@ -135,7 +136,7 @@ function testTaxonomyTokenReplacement() {
     $tests = array();
     $tests['[vocabulary:vid]'] = $this->vocabulary->id();
     $tests['[vocabulary:name]'] = String::checkPlain($this->vocabulary->name);
-    $tests['[vocabulary:description]'] = filter_xss($this->vocabulary->description);
+    $tests['[vocabulary:description]'] = Xss::filter($this->vocabulary->description);
     $tests['[vocabulary:node-count]'] = 1;
     $tests['[vocabulary:term-count]'] = 2;
 
diff --git a/core/modules/taxonomy/taxonomy.tokens.inc b/core/modules/taxonomy/taxonomy.tokens.inc
index ce331da159b2835996edc801172409daa82c8ca1..aa1505c59b2d5ddd8768d3a63fdb0ad561b40904 100644
--- a/core/modules/taxonomy/taxonomy.tokens.inc
+++ b/core/modules/taxonomy/taxonomy.tokens.inc
@@ -6,6 +6,7 @@
  */
 
 use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Implements hook_token_info().
@@ -164,7 +165,7 @@ function taxonomy_tokens($type, $tokens, array $data = array(), array $options =
           break;
 
         case 'description':
-          $replacements[$original] = $sanitize ? filter_xss($vocabulary->description) : $vocabulary->description;
+          $replacements[$original] = $sanitize ? Xss::filter($vocabulary->description) : $vocabulary->description;
           break;
 
         case 'term-count':
diff --git a/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php b/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php
index d8834906aa479cb9a1915373804fc2b6b0e375ef..1858370a25375bb9142238fa8fbb0b7a5e4eb567 100644
--- a/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php
+++ b/core/modules/tour/lib/Drupal/tour/Plugin/tour/tip/TipPluginText.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\tour\Plugin\tour\tip;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
 use Drupal\Core\Utility\Token;
 use Drupal\tour\TipPluginBase;
@@ -119,7 +120,7 @@ public function getAttributes() {
    */
   public function getOutput() {
     $output = '<h2 class="tour-tip-label" id="tour-tip-' . $this->getAriaId() . '-label">' . check_plain($this->getLabel()) . '</h2>';
-    $output .= '<p class="tour-tip-body" id="tour-tip-' . $this->getAriaId() . '-contents">' . filter_xss_admin($this->token->replace($this->getBody())) . '</p>';
+    $output .= '<p class="tour-tip-body" id="tour-tip-' . $this->getAriaId() . '-contents">' . Xss::filterAdmin($this->token->replace($this->getBody())) . '</p>';
     return array('#markup' => $output);
   }
 
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 91a6f25ab7755b58d8ea195af5cfe9ac3b957a1b..a97f6fcf3bf50bd2885a1205a72c6618b76a36ba 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -607,7 +607,7 @@ function user_template_preprocess_default_variables_alter(&$variables) {
  *
  * Modules that make any changes to variables like 'name' or 'extra' must ensure
  * that the final string is safe to include directly in the output by using
- * check_plain() or filter_xss().
+ * check_plain() or \Drupal\Component\Utility\Xss::filter().
  */
 function template_preprocess_username(&$variables) {
   $account = $variables['account'] ?: new AnonymousUserSession();
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php b/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php
index 6856ccdc9977ad9c33211ff0a1e5ad9744740f27..fcd798cb6b94754a847f1848322bbd85f72ac0de 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/area/TextCustom.php
@@ -53,7 +53,7 @@ public function render($empty = FALSE) {
   }
 
   /**
-   * Render a text area with filter_xss_admin.
+   * Render a text area with \Drupal\Component\Utility\Xss::filterAdmin().
    */
   public function renderTextarea($value) {
     if ($value) {
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php b/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php
index 47b1b4ead641772173a69b216259324022b907d6..cf4ef7798597a4f78f4ea9e66e85f58e97cf06fa 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/field/Boolean.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\views\Plugin\views\field;
 
+use Drupal\Component\Utility\Xss as UtilityXss;
 use Drupal\views\ResultRow;
 use Drupal\views\ViewExecutable;
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
@@ -110,7 +111,7 @@ public function render(ResultRow $values) {
     }
 
     if ($this->options['type'] == 'custom') {
-      return $value ? filter_xss_admin($this->options['type_custom_true']) : filter_xss_admin($this->options['type_custom_false']);
+      return $value ? UtilityXss::filterAdmin($this->options['type_custom_true']) : UtilityXss::filterAdmin($this->options['type_custom_false']);
     }
     elseif (isset($this->formats[$this->options['type']])) {
       return $value ? $this->formats[$this->options['type']][0] : $this->formats[$this->options['type']][1];
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php b/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
index 08c12cc64f5e30a0308fca1b664bf82d208cbd79..b3c85c1bdea35b4cc800264f292fb372f8762a47 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
@@ -9,6 +9,7 @@
 
 use Drupal\Component\Utility\Html;
 use Drupal\Component\Utility\String;
+use Drupal\Component\Utility\Xss;
 use Drupal\views\Plugin\views\HandlerBase;
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
 use Drupal\views\ResultRow;
@@ -1248,7 +1249,7 @@ public function renderText($alter) {
       if ($this->options['alter']['more_link'] && strlen($value) < $length) {
         $tokens = $this->getRenderTokens($alter);
         $more_link_text = $this->options['alter']['more_link_text'] ? $this->options['alter']['more_link_text'] : t('more');
-        $more_link_text = strtr(filter_xss_admin($more_link_text), $tokens);
+        $more_link_text = strtr(Xss::filterAdmin($more_link_text), $tokens);
         $more_link_path = $this->options['alter']['more_link_path'];
         $more_link_path = strip_tags(decode_entities(strtr($more_link_path, $tokens)));
 
@@ -1285,7 +1286,7 @@ public function renderText($alter) {
    */
   protected function renderAltered($alter, $tokens) {
     // Filter this right away as our substitutions are already sanitized.
-    $value = filter_xss_admin($alter['text']);
+    $value = Xss::filterAdmin($alter['text']);
     $value = strtr($value, $tokens);
 
     return $value;
@@ -1311,7 +1312,7 @@ protected function renderAsLink($alter, $text, $tokens) {
     $value = '';
 
     if (!empty($alter['prefix'])) {
-      $value .= filter_xss_admin(strtr($alter['prefix'], $tokens));
+      $value .= Xss::filterAdmin(strtr($alter['prefix'], $tokens));
     }
 
     $options = array(
@@ -1451,7 +1452,7 @@ protected function renderAsLink($alter, $text, $tokens) {
     $value .= l($text, $path, $options);
 
     if (!empty($alter['suffix'])) {
-      $value .= filter_xss_admin(strtr($alter['suffix'], $tokens));
+      $value .= Xss::filterAdmin(strtr($alter['suffix'], $tokens));
     }
 
     return $value;
diff --git a/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php b/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php
index 5fa35b88cda13bf43f8f8db5f68307aa272e5df5..0b406f5d7c7c9de51ad7a6ad7695002a0553ca3d 100644
--- a/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php
+++ b/core/modules/views/lib/Drupal/views/Tests/Plugin/RowEntityTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\views\Tests\Plugin;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\views\Views;
 use Drupal\views\Tests\ViewUnitTestBase;
 
@@ -102,7 +103,7 @@ protected function assertText($text, $message = '', $group = 'Other') {
     if (!$message) {
       $message = t('Raw "@raw" found', array('@raw' => $text));
     }
-    return $this->assert(strpos(filter_xss($this->content, array()), $text) !== FALSE, $message, $group);
+    return $this->assert(strpos(Xss::filter($this->content, array()), $text) !== FALSE, $message, $group);
   }
 
 }
diff --git a/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php b/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php
index a297fc332363b16b4571f4167e1ad0814b2d207b..1447c67ccbfa4f540d9630bfebe825734f0db13c 100644
--- a/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php
+++ b/core/modules/views/tests/modules/views_test_data/lib/Drupal/views_test_data/Plugin/views/display/DisplayTest.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\views_test_data\Plugin\views\display;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
 
 /**
@@ -124,7 +125,7 @@ public function execute() {
 
     $render = $this->view->render();
     // Render the test option as the title before the view output.
-    $render['#prefix'] = '<h1>' . filter_xss_admin($this->options['test_option']) . '</h1>';
+    $render['#prefix'] = '<h1>' . Xss::filterAdmin($this->options['test_option']) . '</h1>';
 
     return $render;
   }
diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc
index eaf3d860788738a5606a325bc3c8f1e7ed716c41..d01235d2492768000ca8becd1b93f0390d21bc34 100644
--- a/core/modules/views/views.theme.inc
+++ b/core/modules/views/views.theme.inc
@@ -62,7 +62,7 @@ function template_preprocess_views_view(&$variables) {
 
   // @todo: Figure out whether this belongs into views_ui_preprocess_views_view.
   // Render title for the admin preview.
-  $variables['title'] = !empty($view->views_ui_context) ? filter_xss_admin($view->getTitle()) : '';
+  $variables['title'] = !empty($view->views_ui_context) ? Xss::filterAdmin($view->getTitle()) : '';
 
   if ($view->display_handler->renderPager()) {
     $exposed_input = isset($view->exposed_raw_input) ? $view->exposed_raw_input : NULL;
@@ -203,7 +203,7 @@ function template_preprocess_views_view_fields(&$variables) {
       }
 
       if (!empty($variables['options']['separator']) && $previous_inline && $object->inline && $object->content) {
-        $object->separator = filter_xss_admin($variables['options']['separator']);
+        $object->separator = Xss::filterAdmin($variables['options']['separator']);
       }
 
       $object->class = drupal_clean_css_identifier($id);
@@ -453,7 +453,7 @@ function template_preprocess_views_view_summary_unformatted(&$variables) {
   foreach ($variables['rows'] as $id => $row) {
     // Only false on first time.
     if ($count++) {
-      $variables['rows'][$id]->separator = filter_xss_admin($variables['options']['separator']);
+      $variables['rows'][$id]->separator = Xss::filterAdmin($variables['options']['separator']);
     }
     $variables['rows'][$id]->attributes = array();
     $variables['rows'][$id]->link = $argument->summaryName($row);
@@ -643,7 +643,7 @@ function template_preprocess_views_view_table(&$variables) {
           // Place the field into the column, along with an optional separator.
           if (!empty($column_reference['content'])) {
             if (!empty($options['info'][$column]['separator'])) {
-              $column_reference['content'] .= filter_xss_admin($options['info'][$column]['separator']);
+              $column_reference['content'] .= Xss::filterAdmin($options['info'][$column]['separator']);
             }
           }
           else {
diff --git a/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php b/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php
index dfd8f6d24b906d7b4bb4596c7fbab5f735022ec1..c6a8aed5f85a99416dc93ea62dc97427323897bb 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/ViewEditFormController.php
@@ -7,6 +7,7 @@
 
 namespace Drupal\views_ui;
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Ajax\AjaxResponse;
 use Drupal\Core\Ajax\HtmlCommand;
 use Drupal\Core\Ajax\ReplaceCommand;
@@ -1049,7 +1050,7 @@ public function getFormBucket(ViewUI $view, $type, $display) {
         $field_name = '(' . $relationships[$field['relationship']] . ') ' . $field_name;
       }
 
-      $description = filter_xss_admin($handler->adminSummary());
+      $description = Xss::filterAdmin($handler->adminSummary());
       $link_text = $field_name . (empty($description) ? '' : " ($description)");
       $link_attributes = array('class' => array('views-ajax-link'));
       if (!empty($field['exclude'])) {
diff --git a/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php b/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php
index 3d4983746b271c99d655ea3ee099d6e4c92cfe51..ca3d5ecb19a7f9e02ddac2c94e78a47c4c3735a2 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/ViewUI.php
@@ -9,6 +9,7 @@
 
 use Drupal\Component\Utility\String;
 use Drupal\Component\Utility\Timer;
+use Drupal\Component\Utility\Xss;
 use Drupal\views\Views;
 use Drupal\Core\Entity\EntityStorageInterface;
 use Drupal\views\ViewExecutable;
@@ -691,7 +692,7 @@ public function renderPreview($display_id, $args = array()) {
             }
           }
           if ($show_info) {
-            $rows['query'][] = array('<strong>' . t('Title') . '</strong>', filter_xss_admin($this->executable->getTitle()));
+            $rows['query'][] = array('<strong>' . t('Title') . '</strong>', Xss::filterAdmin($this->executable->getTitle()));
             if (isset($path)) {
               $path = l($path, $path);
             }
diff --git a/core/tests/Drupal/Tests/Component/Utility/XssTest.php b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
index 1bdb67c78dd0fba7e55111396fab1a9b130bb4b9..72aade428fa86597f09d9c5e9ce5b5fbd6d0fc50 100644
--- a/core/tests/Drupal/Tests/Component/Utility/XssTest.php
+++ b/core/tests/Drupal/Tests/Component/Utility/XssTest.php
@@ -119,7 +119,7 @@ public function providerTestFilterXssNormalized() {
    * @param string $message
    *   The assertion message to display upon failure.
    * @param array $allowed_tags
-   *   (optional) The allowed HTML tags to be passed to Xss::filter().
+   *   (optional) The allowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
    *
    * @dataProvider providerTestFilterXssNotNormalized
    */
@@ -144,7 +144,7 @@ public function testFilterXssNotNormalized($value, $expected, $message, array $a
    *     - The value to expect that's missing after filtering.
    *     - The assertion message.
    *     - (optional) The allowed HTML HTML tags array that should be passed to
-   *       Xss::filter().
+   *       \Drupal\Component\Utility\Xss::filter().
    */
   public function providerTestFilterXssNotNormalized() {
     $cases = array(
@@ -437,9 +437,10 @@ public function providerTestFilterXssNotNormalized() {
   /**
    * Tests removing disallowed tags and XSS prevention.
    *
-   * Xss::filter() has the ability to run in blacklist mode, in which it still
-   * applies the exact same filtering, with one exception: it no longer works
-   * with a list of allowed tags, but with a list of disallowed tags.
+   * \Drupal\Component\Utility\Xss::filter() has the ability to run in blacklist
+   * mode, in which it still applies the exact same filtering, with one
+   * exception: it no longer works with a list of allowed tags, but with a list
+   * of disallowed tags.
    *
    * @param string $value
    *   The value to filter.
@@ -448,7 +449,7 @@ public function providerTestFilterXssNotNormalized() {
    * @param string $message
    *   The assertion message to display upon failure.
    * @param array $disallowed_tags
-   *   (optional) The disallowed HTML tags to be passed to Xss::filter().
+   *   (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
    *
    * @dataProvider providerTestBlackListMode
    */
@@ -467,7 +468,7 @@ public function testBlacklistMode($value, $expected, $message, array $disallowed
    *     - The value to filter.
    *     - The value to expect after filtering.
    *     - The assertion message.
-   *     - (optional) The disallowed HTML tags to be passed to Xss::filter().
+   *     - (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
    */
   public function providerTestBlackListMode() {
     return array(
@@ -537,7 +538,7 @@ public function testQuestionSign() {
   }
 
   /**
-   * Checks that Xss::filterAdmin() correctly strips unallowed tags.
+   * Checks that \Drupal\Component\Utility\Xss::filterAdmin() correctly strips unallowed tags.
    */
   public function testFilterXSSAdmin() {
     $value = Xss::filterAdmin('<style /><iframe /><frame /><frameset /><meta /><link /><embed /><applet /><param /><layer />');
diff --git a/core/themes/bartik/bartik.theme b/core/themes/bartik/bartik.theme
index 6b99f45d12bfc78e47f758eaa151cf1473d2947c..f687de3b8f7b1e5db262029581e1eefc865aad02 100644
--- a/core/themes/bartik/bartik.theme
+++ b/core/themes/bartik/bartik.theme
@@ -5,6 +5,7 @@
  * Functions to support theming in the Bartik theme.
  */
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Template\RenderWrapper;
 use Drupal\Core\Template\Attribute;
 
@@ -179,6 +180,6 @@ function _bartik_process_page(&$variables) {
   }
   if ($variables['hide_site_slogan']) {
     // If toggle_site_slogan is FALSE, the site_slogan will be empty, so we rebuild it.
-    $variables['site_slogan'] = filter_xss_admin($site_config->get('slogan'));
+    $variables['site_slogan'] = Xss::filterAdmin($site_config->get('slogan'));
   }
 }
diff --git a/core/themes/seven/seven.theme b/core/themes/seven/seven.theme
index c0a5a086817eded0996e2b55dabe98793fb0c475..dbd55133267244644cf64def66653cddccbef379 100644
--- a/core/themes/seven/seven.theme
+++ b/core/themes/seven/seven.theme
@@ -5,6 +5,7 @@
  * Functions to support theming in the Seven theme.
  */
 
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Template\RenderWrapper;
 use Drupal\Component\Utility\String;
 
@@ -121,7 +122,7 @@ function seven_node_add_list($variables) {
     foreach ($content as $type) {
       $output .= '<li class="clearfix">';
       $content = '<span class="label">' . check_plain($type->name) . '</span>';
-      $content .= '<div class="description">' . filter_xss_admin($type->description) . '</div>';
+      $content .= '<div class="description">' . Xss::filterAdmin($type->description) . '</div>';
       $options['html'] = TRUE;
       $output .= l($content, 'node/add/' . $type->type, $options);
       $output .= '</li>';
@@ -146,7 +147,7 @@ function seven_custom_block_add_list($variables) {
     foreach ($variables['types'] as $id => $type) {
       $output .= '<li class="clearfix">';
       $content = '<span class="label">' . check_plain($type['title']) . '</span>';
-      $content .= '<div class="description">' . filter_xss_admin($type['description']) . '</div>';
+      $content .= '<div class="description">' . Xss::filterAdmin($type['description']) . '</div>';
       $options = $type['localized_options'];
       $options['html'] = TRUE;
       $output .= \Drupal::l($content, 'custom_block.add_form', array('custom_block_type' => $id), $options);
@@ -169,11 +170,11 @@ function seven_admin_block_content($variables) {
     $output = system_admin_compact_mode() ? '<ul class="admin-list compact">' : '<ul class="admin-list">';
     foreach ($content as $item) {
       $output .= '<li>';
-      $content = '<span class="label">' . filter_xss_admin($item['title']) . '</span>';
+      $content = '<span class="label">' . Xss::filterAdmin($item['title']) . '</span>';
       $options = $item['localized_options'];
       $options['html'] = TRUE;
       if (isset($item['description']) && !system_admin_compact_mode()) {
-        $content .= '<div class="description">' . filter_xss_admin($item['description']) . '</div>';
+        $content .= '<div class="description">' . Xss::filterAdmin($item['description']) . '</div>';
       }
       $output .= l($content, $item['link_path'], $options);
       $output .= '</li>';