diff -u b/core/modules/color/color.module b/core/modules/color/color.module
--- b/core/modules/color/color.module
+++ b/core/modules/color/color.module
@@ -15,6 +15,7 @@
 use Drupal\Core\Language\LanguageInterface;
 use Drupal\Core\Render\Element\Textfield;
 use Drupal\Core\Routing\RouteMatchInterface;
+use Drupal\Component\Utility\Xss;
 
 /**
  * Implements hook_help().
@@ -302,7 +303,9 @@
   // Attempt to load preview HTML if the theme provides it.
   $preview_html_path = \Drupal::root() . '/' . (isset($info['preview_html']) ? drupal_get_path('theme', $theme) . '/' . $info['preview_html'] : drupal_get_path('module', 'color') . '/preview.html.twig');
   $twig = \Drupal::service('twig');
-  $variables['html_preview']['#markup'] = $twig->renderInline(file_get_contents($preview_html_path));
+  $unsanitized_preview = $twig->renderInline(file_get_contents($preview_html_path));
+  $sanitized_preview = Xss::filterAdmin($unsanitized_preview);
+  $variables['html_preview']['#markup'] = $sanitized_preview;
 }
 
 /**