diff --git a/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php b/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php
index 3777fb67885605a98aba153c5180437e447e6b1e..380990e1cb15c7cbfecfd681ad7a78f49ecdc347 100644
--- a/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php
+++ b/core/modules/user/lib/Drupal/user/Tests/UserAutocompleteTest.php
@@ -47,15 +47,13 @@ function testUserAutocomplete() {
     // Using first letter of the user's name, make sure the user's full name is in the results.
     $this->assertRaw($this->unprivileged_user->name, 'User name found in autocompletion results.');
 
-    // Test that anonymous username is in the result.
-    $anonymous_name = $this->randomString();
+    $anonymous_name = $this->randomString() . '<script>alert();</script>';
     config('user.settings')->set('anonymous', $anonymous_name)->save();
-    $this->drupalGet('user/autocomplete', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4), 'anonymous' => '1')));
-    // Encode the anonymous name in the same way as JsonResponse does.
-    // @see \Symfony\Component\HttpFoundation\JsonResponse::setData()
-    $anonymous_name_safe = json_encode($anonymous_name, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT);
-    $this->assertRaw($anonymous_name_safe, 'The anonymous name found in autocompletion results.');
-    $this->drupalGet('user/autocomplete', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4))));
-    $this->assertNoRaw($anonymous_name_safe, 'The anonymous name not found in autocompletion results without enabling anonymous username.');
+    // Test that anonymous username is in the result when requested and escaped
+    // with check_plain().
+    $users = $this->drupalGetAjax('user/autocomplete/anonymous', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4))));
+    $this->assertTrue(in_array(check_plain($anonymous_name), $users), 'The anonymous name found in autocompletion results.');
+    $users = $this->drupalGetAjax('user/autocomplete', array('query' => array('q' => drupal_substr($anonymous_name, 0, 4))));
+    $this->assertFalse(isset($users[$anonymous_name]), 'The anonymous name not found in autocompletion results without enabling anonymous username.');
   }
 }
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 89bc6c1675316c502c54d3253f25682cb588ab82..038e55e9d56d49ed8a6b84001bdee7a90010ca5b 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -890,6 +890,15 @@ function user_menu() {
     'file' => 'user.pages.inc',
   );
 
+  $items['user/autocomplete/anonymous'] = array(
+    'title' => 'User autocomplete including anonymous',
+    'page callback' => 'user_autocomplete',
+    'page arguments' => array(TRUE),
+    'access callback' => 'user_access',
+    'access arguments' => array('access user profiles'),
+    'type' => MENU_CALLBACK,
+    'file' => 'user.pages.inc',
+  );
   // Registration and login pages.
   $items['user'] = array(
     'title' => 'User account',
diff --git a/core/modules/user/user.pages.inc b/core/modules/user/user.pages.inc
index 1820f3aa7e1f3a08cde51bcb0c12c1242ea30497..5a872ab2f65c3c07445dff70585a62408bfa84d8 100644
--- a/core/modules/user/user.pages.inc
+++ b/core/modules/user/user.pages.inc
@@ -15,26 +15,24 @@
  * Menu callback for user autocompletion.
  *
  * Like other autocomplete functions, this function inspects the 'q' query
- * parameter for the string to use to search for suggestions. If the name used
- * to indicate anonymous users (e.g. "Anonymous") is to be included as a
- * possible suggestion, the 'anonymous' query parameter should be set
- * additionally. For example, http://example.com/user/autocomplete?q=An might
- * return "Andrew" and "Anne", while
- * http://example.com/user/autocomplete?q=An&anonymous=1 will additionally
- * return "Anonymous".
+ * parameter for the string to use to search for suggestions.
+ *
+ * @param bool $include_anonymous
+ *   (optional) TRUE if the the name used to indicate anonymous users (e.g.
+ *   "Anonymous") should be autocompleted. Defaults to FALSE.
  *
  * @return \Symfony\Component\HttpFoundation\JsonResponse
  *   A JSON response containing the autocomplete suggestions for existing users.
  */
-function user_autocomplete() {
+function user_autocomplete($include_anonymous = FALSE) {
   $matches = array();
   $query = drupal_container()->get('request')->query;
   if ($string = $query->get('q')) {
-    if ($query->get('anonymous')) {
+    if ($include_anonymous) {
       $anonymous_name = config('user.settings')->get('anonymous');
       // Allow autocompletion for the anonymous user.
       if (stripos($anonymous_name, $string) !== FALSE) {
-        $matches[$anonymous_name] = $anonymous_name;
+        $matches[$anonymous_name] = check_plain($anonymous_name);
       }
     }
     $result = db_select('users')->fields('users', array('name'))->condition('name', db_like($string) . '%', 'LIKE')->range(0, 10)->execute();