diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
index e25f8c7..7d5c934 100644
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -46,7 +46,12 @@ public function getInfo() {
    * Pre-render callback: Renders a generic HTML tag with attributes into #markup.
    *
    * Note: It is the caller's responsibility to sanitize any input parameters.
-   * This callback does not perform sanitization.
+   * This callback does not perform sanitization. Despite the result of this
+   * pre-render callback being a #markup element, it is not passed through
+   * \Drupal\Component\Utility\Xss::filterAdmin. This is because it is marked
+   * safe here, which causes \Drupal\Component\Utility\SafeMarkup::checkAdminXss
+   * to regard it as safe and bypass the call to
+   * \Drupal\Component\Utility\Xss::filterAdmin,
    *
    * @param array $element
    *   An associative array containing:
diff --git a/core/modules/system/theme.api.php b/core/modules/system/theme.api.php
index e51f03c..76e6028 100644
--- a/core/modules/system/theme.api.php
+++ b/core/modules/system/theme.api.php
@@ -265,7 +265,12 @@
  * - #markup: Specifies that the array provides HTML markup directly. Unless the
  *   markup is very simple, such as an explanation in a paragraph tag, it is
  *   normally preferable to use #theme or #type instead, so that the theme can
- *   customize the markup.
+ *   customize the markup. Note that the value is passed through
+ *   \Drupal\Component\Utility\XSS::filterAdmin which allows most tags with the
+ *   exception of script and style. If your markup needs these tags, then you
+ *   should implement a theme hook and template file and/or an asset library.
+ *   @see core.libraries.yml
+ *   @see hook_theme
  *
  * JavaScript and CSS assets are specified in the render array using the
  * #attached property (see @ref sec_attached).