diff -u b/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
--- b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -59,11 +59,11 @@
    *   - #value: (optional) A string containing tag content, such as inline
    *     CSS. The value of #value will be XSS admin filtered if it is not safe.
    *   - #value_prefix: (optional) A string to prepend to #value, e.g. a CDATA
-   *     wrapper prefix. The value of #value_prefix will be XSS admin filtered
-   *     if it is not safe.
+   *     wrapper prefix. The value of #value_prefix cannot be filtered and is
+   *     assumed to be safe.
    *   - #value_suffix: (optional) A string to append to #value, e.g. a CDATA
-   *     wrapper suffix. The value of #value_suffix will be XSS admin filtered
-   *     if it is not safe.
+   *     wrapper suffix. The value of #value_suffix cannot be filtered and is
+   *     assumed to be safe.
    *   - #noscript: (optional) If TRUE, the markup (including any prefix or
    *     suffix) will be wrapped in a <noscript> element. (Note that passing
    *     any non-empty value here will add the <noscript> tag.)
@@ -85,18 +85,18 @@
     else {
       $markup .= '>';
       if (isset($element['#value_prefix'])) {
-        $markup .= static::xssFilterAdminIfUnsafe($element['#value_prefix']);
+        $markup .= $element['#value_prefix'];
       }
       $markup .= static::xssFilterAdminIfUnsafe($element['#value']);
       if (isset($element['#value_suffix'])) {
-        $markup .= static::xssFilterAdminIfUnsafe($element['#value_suffix']);
+        $markup .= $element['#value_suffix'];
       }
       $markup .= '</' . $escaped_tag . ">\n";
     }
     if (!empty($element['#noscript'])) {
       $markup = "<noscript>$markup</noscript>";
     }
-    $element['#markup'] = SafeString::create($markup);
+    $element['#markup'] = SafeMarkup::set($markup);
     return $element;
   }