diff -u b/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
--- b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -85,11 +85,11 @@
     else {
       $markup .= '>';
       if (isset($element['#value_prefix'])) {
-        $markup .= $element['#value_prefix'];
+        $markup .= static::xssFilterAdminIfUnsafe($element['#value_prefix']);
       }
       $markup .= static::xssFilterAdminIfUnsafe($element['#value']);
       if (isset($element['#value_suffix'])) {
-        $markup .= $element['#value_suffix'];
+        $markup .= static::xssFilterAdminIfUnsafe($element['#value_suffix']);
       }
       $markup .= '</' . $escaped_tag . ">\n";
     }