diff -u b/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
--- b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -85,11 +85,11 @@
else {
$markup .= '>';
if (isset($element['#value_prefix'])) {
- $markup .= $element['#value_prefix'];
+ $markup .= static::xssFilterAdminIfUnsafe($element['#value_prefix']);
}
$markup .= static::xssFilterAdminIfUnsafe($element['#value']);
if (isset($element['#value_suffix'])) {
- $markup .= $element['#value_suffix'];
+ $markup .= static::xssFilterAdminIfUnsafe($element['#value_suffix']);
}
$markup .= '' . $escaped_tag . ">\n";
}