diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
index 851bbf9..5f81e93 100644
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -139,7 +139,8 @@ public static function preRenderConditionalComments($element) {
       $expression = '!IE';
     }
     else {
-      $expression = $browsers['IE'];
+      // Need to filter at least for admin usage.
+      $expression = SafeMarkup::checkAdminXss($browsers['IE']);
     }
 
     // Wrap the element's potentially existing #prefix and #suffix properties with
@@ -151,15 +152,23 @@ public static function preRenderConditionalComments($element) {
       '#prefix' => '',
       '#suffix' => '',
     );
+
+    // Ensure what we are dealing with is safe.
+    // This would be done later anyway in drupal_render().
+    $prefix = SafeMarkup::checkAdminXss($element['#prefix']);
+    $suffix = SafeMarkup::checkAdminXss($element['#suffix']);
+
+    // Now calling SafeMarkup::set is safe, because we ensured the
+    // data coming in was at least admin escaped.
     if (!$browsers['!IE']) {
       // "downlevel-hidden".
-      $element['#prefix'] = "\n<!--[if $expression]>\n" . $element['#prefix'];
-      $element['#suffix'] .= "<![endif]-->\n";
+      $element['#prefix'] = SafeMarkup::set("\n<!--[if $expression]>\n" . $prefix);
+      $element['#suffix'] = SafeMarkup::set($suffix . "<![endif]-->\n");
     }
     else {
       // "downlevel-revealed".
-      $element['#prefix'] = "\n<!--[if $expression]><!-->\n" . $element['#prefix'];
-      $element['#suffix'] .= "<!--<![endif]-->\n";
+      $element['#prefix'] = SafeMarkup::set("\n<!--[if $expression]><!-->\n" . $prefix);
+      $element['#suffix'] = SafeMarkup::set($suffix . "<!--<![endif]-->\n");
     }
 
     return $element;