diff --git a/includes/common.inc b/includes/common.inc
index 98c84f6..9540c70 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -2020,7 +2020,9 @@ function format_date($timestamp, $type = 'medium', $format = '', $timezone = NUL
   _format_date_callback(NULL, $langcode);
 
   // Translate the marked sequences.
-  return preg_replace_callback('/\xEF([AaeDlMTF]?)(.*?)\xFF/', '_format_date_callback', $format);
+  $formatted = preg_replace_callback('/\xEF([AaeDlMTF]?)(.*?)\xFF/', '_format_date_callback', $format);
+
+  return filter_xss_admin($formatted);
 }
 
 /**