diff --git a/core/lib/Drupal/Core/Entity/EntityListController.php b/core/lib/Drupal/Core/Entity/EntityListController.php
index 1ebab9e..75e7b8e 100644
--- a/core/lib/Drupal/Core/Entity/EntityListController.php
+++ b/core/lib/Drupal/Core/Entity/EntityListController.php
@@ -9,6 +9,7 @@
 
 use Drupal\Core\Extension\ModuleHandlerInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
+use Drupal\Component\Utility\String;
 
 /**
  * Provides a generic implementation of an entity list controller.
@@ -144,7 +145,7 @@ public function buildHeader() {
    * @see Drupal\Core\Entity\EntityListController::render()
    */
   public function buildRow(EntityInterface $entity) {
-    $row['label'] = $entity->label();
+    $row['label'] = String::checkPlain($entity->label());
     $row['id'] = $entity->id();
     $operations = $this->buildOperations($entity);
     $row['operations']['data'] = $operations;
diff --git a/core/modules/taxonomy/lib/Drupal/taxonomy/VocabularyListController.php b/core/modules/taxonomy/lib/Drupal/taxonomy/VocabularyListController.php
index edd0b8d..87f247c 100644
--- a/core/modules/taxonomy/lib/Drupal/taxonomy/VocabularyListController.php
+++ b/core/modules/taxonomy/lib/Drupal/taxonomy/VocabularyListController.php
@@ -74,7 +74,7 @@ public function buildRow(EntityInterface $entity) {
     unset($row['id']);
 
     $row['label'] = array(
-      '#markup' => check_plain($row['label']),
+      '#markup' => $row['label'],
     );
     $row['#weight'] = $entity->get('weight');
     // Add weight column.
diff --git a/core/modules/user/lib/Drupal/user/RoleListController.php b/core/modules/user/lib/Drupal/user/RoleListController.php
index a2250f5..3f92dfd 100644
--- a/core/modules/user/lib/Drupal/user/RoleListController.php
+++ b/core/modules/user/lib/Drupal/user/RoleListController.php
@@ -63,7 +63,7 @@ public function buildRow(EntityInterface $entity) {
     unset($row['id']);
 
     $row['label'] = array(
-      '#markup' => check_plain($row['label']),
+      '#markup' => $row['label'],
     );
     $row['#weight'] = $entity->get('weight');
     // Add weight column.
diff --git a/core/tests/Drupal/Tests/Core/Entity/EntityListControllerTest.php b/core/tests/Drupal/Tests/Core/Entity/EntityListControllerTest.php
new file mode 100644
index 0000000..850f236
--- /dev/null
+++ b/core/tests/Drupal/Tests/Core/Entity/EntityListControllerTest.php
@@ -0,0 +1,96 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\Tests\Core\Entity\EntityListControllerTest.
+ */
+
+namespace Drupal\Tests\Core\Entity;
+
+use Drupal\Tests\UnitTestCase;
+use Drupal\Core\Entity\EntityListController;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * Tests the entity access controller.
+ *
+ * @group Entity
+ */
+class EntityListControllerTest extends UnitTestCase {
+
+  /**
+   * @var \Drupal\user\Plugin\Core\Entity\Role
+   */
+  protected $role;
+
+  public static function getInfo() {
+    return array(
+      'name' => 'Entity list controller test',
+      'description' => 'Unit test of entity access checking system.',
+      'group' => 'Entity'
+    );
+  }
+
+  /**
+   * Entity info used by the test.
+   *
+   * @var array
+   */
+  public static $entityInfo = array(
+    'entity_keys' => array(
+      'id' => 'id',
+      'label' => 'label',
+    ),
+    'config_prefix' => 'user.role',
+    'class' => 'Drupal\user\Plugin\Core\Entity\Role',
+  );
+
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+
+    $this->container = new ContainerBuilder();
+
+    $this->role = $this
+      ->getMockBuilder('Drupal\user\Plugin\Core\Entity\Role')
+      ->setConstructorArgs(array('entityInfo' => static::$entityInfo, 'user_role'))
+      ->getMock();
+
+    $this->role->expects($this->any())
+      ->method('label')
+      ->will($this->returnValue('<invalidlabel>'));
+  }
+
+  /**
+   * Tests that buildRow() returns a string which has been run through
+   * check_plain
+   */
+  public function testBuildRow() {
+    // Creates a stub role storage controller and replace the attachLoad()
+    // method with an empty version, because attachLoad() calls
+    // module_implements().
+    $role_storage_controller = $this->getMockBuilder('Drupal\user\RoleStorageController')
+      ->disableOriginalConstructor()
+      ->getMock();
+
+    $module_handler = $this->getMockBuilder('Drupal\Core\Extension\ModuleHandler')
+      ->disableOriginalConstructor()
+      ->getMock();
+
+    $entity_list_controller = $this->getMock('Drupal\Core\Entity\EntityListController', array('buildOperations'), array('user_role', static::$entityInfo, $role_storage_controller, $module_handler));
+
+    $entity_list_controller->expects($this->any())
+      ->method('buildOperations')
+      ->will($this->returnValue(array()));
+
+    $built_row = $entity_list_controller->buildRow($this->role);
+
+    $this->assertEquals($built_row['label'], '&lt;invalidlabel&gt;', 'buildRow correctly escapes &lt;script&gt;');
+  }
+
+
+}
+