diff -u b/core/includes/common.inc b/core/includes/common.inc
--- b/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -2780,17 +2780,14 @@
 
   // Filtering keys which are expected to contain HTML.
   $markup_keys = array(
-    '#description',
-    '#field_prefix',
-    '#field_suffix',
     '#prefix',
     '#suffix',
   );
   foreach ($markup_keys as $key) {
     // If it's not scalar it can deal with itself through __toString()
     // or drupal_render().
-    if (!empty($elements[$key]) && is_scalar($elements[$key]) && !SafeMarkup::isSafe($elements[$key])) {
-      $elements[$key] = SafeMarkup::set(Xss::filterAdmin($elements[$key]));
+    if (!empty($elements[$key]) && is_scalar($elements[$key])) {
+      $elements[$key] = SafeMarkup::checkAdminXss($elements[$key]);
     }
   }
 
diff -u b/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
--- b/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -686,12 +686,10 @@
       '#description',
       '#field_prefix',
       '#field_suffix',
-      '#prefix',
-      '#suffix',
     );
     foreach ($markup_keys as $key) {
-      if (!empty($element[$key]) && is_scalar($element[$key]) && SafeMarkup::isSafe($element[$key])) {
-        $element[$key] = SafeMarkup::set(Xss::filterAdmin($element[$key]));
+      if (!empty($element[$key]) && is_scalar($element[$key])) {
+        $element[$key] = SafeMarkup::checkAdminXss($element[$key]);
       }
     }
 
only in patch2:
unchanged:
--- a/core/lib/Drupal/Component/Utility/SafeMarkup.php
+++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php
@@ -137,6 +137,22 @@ public static function escape($string) {
   }
 
   /**
+   *  Applies a very permissive XSS/HTML filter for admin-only use.
+   *
+   * @param $string
+   *   A string.
+   *
+   * @return string
+   *   The escaped string. If $string was already set as safe with
+   *   SafeString::set, it won't be escaped again.
+   *
+   *  @see \Drupal\Component\Utility\Xss\filterAdmin
+   */
+  public static function checkAdminXss($string) {
+    return static::isSafe($string) ? $string : Xss::filterAdmin($string);
+  }
+
+  /**
   * Retrieves all strings currently marked as safe.
   *
   * This is useful for the batch and form APIs, where it is important to