From 7f99ea2f2caf07b6ab2c8830f51c71db2f137dc9 Mon Sep 17 00:00:00 2001
From: Dave Long <dave@longwaveconsulting.com>
Date: Wed, 20 Nov 2024 17:59:40 +0000
Subject: [PATCH] SA-CORE-2024-003 by jrb, larowlan, catch, mingsong, poker10,
 longwave, benjifisher

---
 core/lib/Drupal/Core/Ajax/MessageCommand.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/core/lib/Drupal/Core/Ajax/MessageCommand.php b/core/lib/Drupal/Core/Ajax/MessageCommand.php
index 5dd2ed78614..dbcf989fa7f 100644
--- a/core/lib/Drupal/Core/Ajax/MessageCommand.php
+++ b/core/lib/Drupal/Core/Ajax/MessageCommand.php
@@ -2,6 +2,8 @@
 
 namespace Drupal\Core\Ajax;
 
+use Drupal\Component\Render\MarkupInterface;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Asset\AttachedAssets;
 
 /**
@@ -68,7 +70,7 @@ class MessageCommand implements CommandInterface, CommandWithAttachedAssetsInter
   /**
    * The message text.
    *
-   * @var string
+   * @var string|\Drupal\Component\Render\MarkupInterface
    */
   protected $message;
 
@@ -96,7 +98,7 @@ class MessageCommand implements CommandInterface, CommandWithAttachedAssetsInter
   /**
    * Constructs a MessageCommand object.
    *
-   * @param string $message
+   * @param string|\Drupal\Component\Render\MarkupInterface $message
    *   The text of the message.
    * @param string|null $wrapper_query_selector
    *   The query selector of the element to display messages in when they
@@ -120,7 +122,9 @@ class MessageCommand implements CommandInterface, CommandWithAttachedAssetsInter
   public function render() {
     return [
       'command' => 'message',
-      'message' => $this->message,
+      'message' => $this->message instanceof MarkupInterface
+        ? (string) $this->message
+        : Xss::filterAdmin($this->message),
       'messageWrapperQuerySelector' => $this->wrapperQuerySelector,
       'messageOptions' => $this->options,
       'clearPrevious' => $this->clearPrevious,