diff --git a/core/lib/Drupal/Component/Utility/Html.php b/core/lib/Drupal/Component/Utility/Html.php
index b6eb649..440ac3e 100644
--- a/core/lib/Drupal/Component/Utility/Html.php
+++ b/core/lib/Drupal/Component/Utility/Html.php
@@ -7,6 +7,8 @@
 
 namespace Drupal\Component\Utility;
 
+use Drupal\Component\Utility\SafeMarkup;
+
 /**
  * Provides DOMDocument helpers for parsing and serializing HTML strings.
  *
@@ -315,7 +317,9 @@ public static function escapeCdataElement(\DOMNode $node, $comment_start = '//',
     foreach ($node->childNodes as $child_node) {
       if ($child_node instanceof \DOMCdataSection) {
         $embed_prefix = "\n<!--{$comment_start}--><![CDATA[{$comment_start} ><!--{$comment_end}\n";
+        $embed_prefix = SafeMarkup::set($embed_prefix);
         $embed_suffix = "\n{$comment_start}--><!]]>{$comment_end}\n";
+        $embed_suffix = SafeMarkup::set($embed_suffix);
 
         // Prevent invalid cdata escaping as this would throw a DOM error.
         // This is the same behavior as found in libxml2.
diff --git a/core/lib/Drupal/Core/Asset/JsCollectionRenderer.php b/core/lib/Drupal/Core/Asset/JsCollectionRenderer.php
index 01f75ac..d2d001e 100644
--- a/core/lib/Drupal/Core/Asset/JsCollectionRenderer.php
+++ b/core/lib/Drupal/Core/Asset/JsCollectionRenderer.php
@@ -8,6 +8,7 @@
 namespace Drupal\Core\Asset;
 
 use Drupal\Component\Serialization\Json;
+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\State\StateInterface;
 
 /**
@@ -55,7 +56,9 @@ public function render(array $js_assets) {
     // XHTML needs to be wrapped in CDATA. To make that backwards compatible
     // with HTML 4, we need to comment out the CDATA-tag.
     $embed_prefix = "\n<!--//--><![CDATA[//><!--\n";
+    $embed_prefix = SafeMarkup::set($embed_prefix);
     $embed_suffix = "\n//--><!]]>\n";
+    $embed_suffix = SafeMarkup::set($embed_suffix);
 
     // Defaults for each SCRIPT element.
     $element_defaults = array(