diff -u b/core/includes/theme.inc b/core/includes/theme.inc
--- b/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -13,7 +13,6 @@
 use Drupal\Component\Utility\Html;
 use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Component\Utility\Unicode;
-use Drupal\Component\Utility\Xss;
 use Drupal\Core\Config\Config;
 use Drupal\Core\Config\StorageException;
 use Drupal\Core\Render\SafeString;
@@ -1074,15 +1073,12 @@
  * @param array $variables
  *   An associative array containing:
  *   - items: An array of items to be displayed in the list.
- *   - separator: A string to separate list items.
+ *   - separator: A string to separate list items (defaults to ", ").
  *   - empty: A message to display when there are no items.
- *
- * @see https://www.drupal.org/node/1842756
  */
 function template_preprocess_inline_list(&$variables) {
-  // Since the separator may be user-specified, it must be filtered to permit
-  // some HTML (such as <br />) to pass through.
-  $variables['separator'] = SafeString::create(Xss::filter($variables['separator'], ['br']));
+  // The separator may be user-specified, so we escape this.
+  $variables['separator'] = SafeString::create(SafeMarkup::escape($variables['separator'], ['br']));
 }
 
 /**