diff --git a/core/modules/config_translation/src/FormElement/FormElementBase.php b/core/modules/config_translation/src/FormElement/FormElementBase.php
index e13cc31..ddda12e 100644
--- a/core/modules/config_translation/src/FormElement/FormElementBase.php
+++ b/core/modules/config_translation/src/FormElement/FormElementBase.php
@@ -8,6 +8,7 @@
 namespace Drupal\config_translation\FormElement;
 
 use Drupal\Core\Config\Config;
+use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Language\LanguageInterface;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\Core\TypedData\TypedDataInterface;
@@ -147,6 +148,12 @@ protected function getSourceElement(LanguageInterface $source_language, $source_
    * translation of complex data, similar access logic must be implemented
    * manually.
    *
+   * Note that because configuration values might be output on the page the form
+   * element is also responsible for validating that the input does not contain
+   * malicious HTML input. FormElementBase::validateInput(), which uses
+   * locale_string_is_safe() for the validation, is provided for that purpose
+   * and is used for the default form element.
+   *
    * @param \Drupal\Core\Language\LanguageInterface $translation_language
    *   The language to display the translation form for.
    * @param mixed $source_config
@@ -159,6 +166,8 @@ protected function getSourceElement(LanguageInterface $source_language, $source_
    *
    * @see \Drupal\config_translation\FormElement\TextFormat
    * @see filter_process_format()
+   * @see \Drupal\config_translation\FormElement\FormElementBase::validateInput()
+   * @see locale_string_is_safe()
    */
   protected function getTranslationElement(LanguageInterface $translation_language, $source_config, $translation_config) {
     // Add basic properties that apply to all form elements.
@@ -170,10 +179,25 @@ protected function getTranslationElement(LanguageInterface $translation_language
       )),
       '#default_value' => $translation_config,
       '#attributes' => array('lang' => $translation_language->getId()),
+      '#element_validate' => [[get_class($this), 'validateInput']],
     );
   }
 
   /**
+   * Validates that the form element does not contain malicious HTML input.
+   *
+   * @param $element
+   *   The form element to validate.
+   * @param \Drupal\Core\Form\FormStateInterface $form_state
+   *   The form state.
+   */
+  public static function validateInput($element, FormStateInterface $form_state) {
+    if (!locale_string_is_safe($element['#value'])) {
+      $form_state->setError($element, t('The submitted string contains disallowed HTML.'));
+    }
+  }
+
+  /**
    * {@inheritdoc}
    */
   public function setConfig(Config $base_config, LanguageConfigOverride $config_translation, $config_values, $base_key = NULL) {