diff --git a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/NumericFormatterBase.php b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/NumericFormatterBase.php
index e219c01..2095037 100644
--- a/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/NumericFormatterBase.php
+++ b/core/lib/Drupal/Core/Field/Plugin/Field/FieldFormatter/NumericFormatterBase.php
@@ -75,8 +75,8 @@ public function viewElements(FieldItemListInterface $items) {
 
       // Account for prefix and suffix.
       if ($this->getSetting('prefix_suffix')) {
-        $prefix = isset($settings['prefix']) ? $settings['prefix'] : '';
-        $suffix = isset($settings['suffix']) ? $settings['suffix'] : '';
+        $prefix = isset($settings['prefix']) ? $this->fieldFilterXss($settings['prefix']) : '';
+        $suffix = isset($settings['suffix']) ? $this->fieldFilterXss($settings['suffix']) : '';
         $output = $prefix . $output . $suffix;
       }
       // Output the raw value in a content attribute if the text of the HTML