diff --git a/core/includes/common.inc b/core/includes/common.inc
index 18ed1d5..7cf1fef 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -19,6 +19,7 @@
 use Drupal\Component\Utility\String;
 use Drupal\Component\Utility\Tags;
 use Drupal\Component\Utility\UrlHelper;
+use Drupal\Component\Utility\Xss;
 use Drupal\Core\Cache\Cache;
 use Drupal\Core\Language\LanguageInterface;
 use Drupal\Core\Site\Settings;
@@ -3099,6 +3100,18 @@ function drupal_render(&$elements, $is_recursive_call = FALSE) {
     $elements['#markup'] = SafeMarkup::set($elements['#markup']);
   }
 
+  // Filtering keys which are expected to contain HTML.
+  $markup_keys = array(
+    '#description',
+    '#field_prefix',
+    '#field_suffix',
+    '#prefix',
+    '#suffix',
+  );
+  foreach ($markup_keys as $key) {
+    $elements[$key] = isset($elements[$key]) ? Xss::filterAdmin($elements[$key]) : NULL;
+  }
+
   // Assume that if #theme is set it represents an implemented hook.
   $theme_is_implemented = isset($elements['#theme']);