diff --git a/core/includes/common.inc b/core/includes/common.inc
index c84eb90..2441f55 100644
--- a/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -453,6 +453,9 @@ function format_rss_item($title, $link, $description, $args = array()) {
 /**
  * Formats XML elements.
  *
+ * Note: It is the caller's responsibility to sanitize any input parameters.
+ * This function does not perform sanitization.
+ *
  * @param $array
  *   An array where each item represents an element and is either a:
  *   - (key => value) pair (<key>value</key>)
@@ -488,7 +491,9 @@ function format_xml_elements($array) {
     }
   }
   // @todo This is marking the output string as safe HTML, but we have only
-  //   sanitized the attributes and tag values, not the tag names.
+  //   sanitized the attributes and tag values, not the tag names, and we
+  //   cannot guarantee the assembled markup is safe. Consier a fix in:
+  //   https://www.drupal.org/node/2296885
   return SafeMarkup::set($output);
 }
 
@@ -2763,7 +2768,7 @@ function drupal_pre_render_conditional_comments($elements) {
  * Pre-render callback: Renders a generic HTML tag with attributes into #markup.
  *
  * Note: It is the caller's responsibility to sanitize any input parameters.
- * This callback does not perform any sanitization.
+ * This callback does not perform sanitization.
  *
  * @param array $element
  *   An associative array containing:
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 9ada350..3ee2038 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -18,6 +18,7 @@
  */
 function system_requirements($phase) {
   $requirements = array();
+  $description = array();
 
   // Report Drupal version
   if ($phase == 'runtime') {
@@ -106,19 +107,19 @@ function system_requirements($phase) {
   }
 
   if (!empty($missing_extensions)) {
-    $description = t('Drupal requires you to enable the PHP extensions in the following list (see the <a href="@system_requirements">system requirements page</a> for more information):', array(
+    $description = array(t('Drupal requires you to enable the PHP extensions in the following list (see the <a href="@system_requirements">system requirements page</a> for more information):', array(
       '@system_requirements' => 'http://drupal.org/requirements',
-    ));
+    )));
 
     $item_list = array(
       '#theme' => 'item_list',
       '#items' => $missing_extensions,
     );
-    $description .= drupal_render($item_list);
+    $description[] = drupal_render($item_list);
 
     $requirements['php_extensions']['value'] = t('Disabled');
     $requirements['php_extensions']['severity'] = REQUIREMENT_ERROR;
-    $requirements['php_extensions']['description'] = $description;
+    $requirements['php_extensions']['description'] = SafeMarkup::implode('', $description);
   }
   else {
     $requirements['php_extensions']['value'] = t('Enabled');
@@ -187,26 +188,27 @@ function system_requirements($phase) {
   );
 
   if (!Environment::checkMemoryLimit(DRUPAL_MINIMUM_PHP_MEMORY_LIMIT, $memory_limit)) {
-    $description = '';
     if ($phase == 'install') {
-      $description = t('Consider increasing your PHP memory limit to %memory_minimum_limit to help prevent errors in the installation process.', array('%memory_minimum_limit' => DRUPAL_MINIMUM_PHP_MEMORY_LIMIT));
+      $description = array(t('Consider increasing your PHP memory limit to %memory_minimum_limit to help prevent errors in the installation process.', array('%memory_minimum_limit' => DRUPAL_MINIMUM_PHP_MEMORY_LIMIT)));
     }
     elseif ($phase == 'update') {
-      $description = t('Consider increasing your PHP memory limit to %memory_minimum_limit to help prevent errors in the update process.', array('%memory_minimum_limit' => DRUPAL_MINIMUM_PHP_MEMORY_LIMIT));
+      $description = array(t('Consider increasing your PHP memory limit to %memory_minimum_limit to help prevent errors in the update process.', array('%memory_minimum_limit' => DRUPAL_MINIMUM_PHP_MEMORY_LIMIT)));
     }
     elseif ($phase == 'runtime') {
-      $description = t('Depending on your configuration, Drupal can run with a %memory_limit PHP memory limit. However, a %memory_minimum_limit PHP memory limit or above is recommended, especially if your site uses additional custom or contributed modules.', array('%memory_limit' => $memory_limit, '%memory_minimum_limit' => DRUPAL_MINIMUM_PHP_MEMORY_LIMIT));
+        $description = array(t('Depending on your configuration, Drupal can run with a %memory_limit PHP memory limit. However, a %memory_minimum_limit PHP memory limit or above is recommended, especially if your site uses additional custom or contributed modules.', array('%memory_limit' => $memory_limit, '%memory_minimum_limit' => DRUPAL_MINIMUM_PHP_MEMORY_LIMIT)));
     }
 
     if (!empty($description)) {
       if ($php_ini_path = get_cfg_var('cfg_file_path')) {
-        $description .= ' ' . t('Increase the memory limit by editing the memory_limit parameter in the file %configuration-file and then restart your web server (or contact your system administrator or hosting provider for assistance).', array('%configuration-file' => $php_ini_path));
+        $description[] = ' ';
+        $description[] = t('Increase the memory limit by editing the memory_limit parameter in the file %configuration-file and then restart your web server (or contact your system administrator or hosting provider for assistance).', array('%configuration-file' => $php_ini_path));
       }
       else {
-        $description .= ' ' . t('Contact your system administrator or hosting provider for assistance with increasing your PHP memory limit.');
+        $description[] = ' ';
+        $description[] = t('Contact your system administrator or hosting provider for assistance with increasing your PHP memory limit.');
       }
 
-      $requirements['php_memory_limit']['description'] = $description . ' ' . t('For more information, see the online handbook entry for <a href="@memory-limit">increasing the PHP memory limit</a>.', array('@memory-limit' => 'http://drupal.org/node/207036'));
+      $requirements['php_memory_limit']['description'] = SafeMarkup::implode('', $description) . ' ' . t('For more information, see the online handbook entry for <a href="@memory-limit">increasing the PHP memory limit</a>.', array('@memory-limit' => 'http://drupal.org/node/207036'));
       $requirements['php_memory_limit']['severity'] = REQUIREMENT_WARNING;
     }
   }
@@ -226,19 +228,19 @@ function system_requirements($phase) {
     }
     if (!empty($conf_errors)) {
       if (count($conf_errors) == 1) {
-        $description = $conf_errors[0];
+        $description = array($conf_errors[0]);
       }
       else {
         $item_list = array(
           '#theme' => 'item_list',
           '#items' => $conf_errors,
         );
-        $description = drupal_render($item_list);
+        $description = array(drupal_render($item_list));
       }
       $requirements['settings.php'] = array(
         'value' => t('Not protected'),
         'severity' => REQUIREMENT_ERROR,
-        'description' => $description,
+        'description' => SafeMarkup::implode('', $description),
       );
     }
     else {
@@ -309,20 +311,20 @@ function system_requirements($phase) {
 
     // Set summary and description based on values determined above.
     $summary = t('Last run !time ago', array('!time' => format_interval(REQUEST_TIME - $cron_last)));
-    $description = '';
     if ($severity != REQUIREMENT_INFO) {
-      $description = t('Cron has not run recently.') . ' ' . $help;
+      $description = array(t('Cron has not run recently.'), ' ', $help);
     }
 
-    $description .= ' ' . t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
-    $description .= '<br />' . t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron/' . \Drupal::state()->get('system.cron_key'), array('absolute' => TRUE))));
+    $description[] = ' ';
+    $description[] = t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
+    $description[] = SafeMarkup::set('<br />');
+    $description[] = t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron/' . \Drupal::state()->get('system.cron_key'), array('absolute' => TRUE))));
 
     $requirements['cron'] = array(
       'title' => t('Cron maintenance tasks'),
       'severity' => $severity,
       'value' => $summary,
-      // @todo Needs to preserve safe markup.
-      'description' => SafeMarkup::set($description),
+      'description' => SafeMarkup::implode('', $description),
     );
   }
   if ($phase != 'install') {
@@ -381,7 +383,7 @@ function system_requirements($phase) {
     'title' => t('File system'),
   );
 
-  $error = '';
+  $error = array();
   // For installer, create the directories if possible.
   foreach ($directories as $directory) {
     if (!$directory) {
@@ -393,26 +395,29 @@ function system_requirements($phase) {
     $is_writable = is_writable($directory);
     $is_directory = is_dir($directory);
     if (!$is_writable || !$is_directory) {
-      $description = '';
       $requirements['file system']['value'] = t('Not writable');
       if (!$is_directory) {
-        $error .= t('The directory %directory does not exist.', array('%directory' => $directory)) . ' ';
+        $error[] = t('The directory %directory does not exist.', array('%directory' => $directory));
+        $error[] = ' ';
       }
       else {
-        $error .= t('The directory %directory is not writable.', array('%directory' => $directory)) . ' ';
+        $error[] = t('The directory %directory is not writable.', array('%directory' => $directory));
+        $error[] = ' ';
       }
       // The files directory requirement check is done only during install and runtime.
       if ($phase == 'runtime') {
-        $description = $error . t('You may need to set the correct directory at the <a href="@admin-file-system">file system settings page</a> or change the current directory\'s permissions so that it is writable.', array('@admin-file-system' => url('admin/config/media/file-system')));
+        $description = $error;
+        $description[] = t('You may need to set the correct directory at the <a href="@admin-file-system">file system settings page</a> or change the current directory\'s permissions so that it is writable.', array('@admin-file-system' => url('admin/config/media/file-system')));
       }
       elseif ($phase == 'install') {
         // For the installer UI, we need different wording. 'value' will
         // be treated as version, so provide none there.
-        $description = $error . t('An automated attempt to create this directory failed, possibly due to a permissions problem. To proceed with the installation, either create the directory and modify its permissions manually or ensure that the installer has the permissions to create it automatically. For more information, see INSTALL.txt or the <a href="@handbook_url">online handbook</a>.', array('@handbook_url' => 'http://drupal.org/server-permissions'));
+        $description = $error;
+        $description[] = t('An automated attempt to create this directory failed, possibly due to a permissions problem. To proceed with the installation, either create the directory and modify its permissions manually or ensure that the installer has the permissions to create it automatically. For more information, see INSTALL.txt or the <a href="@handbook_url">online handbook</a>.', array('@handbook_url' => 'http://drupal.org/server-permissions'));
         $requirements['file system']['value'] = '';
       }
       if (!empty($description)) {
-        $requirements['file system']['description'] = $description;
+        $requirements['file system']['description'] = SafeMarkup::implode('', $description);
         $requirements['file system']['severity'] = REQUIREMENT_ERROR;
       }
     }