commit 872089b2e842169920c4c8d30eb56fa03687fd4c
Author: Joel Pittet <joel@pittet.ca>
Date:   Tue Jun 9 13:17:40 2015 -0700

    check internal

diff --git a/core/lib/Drupal/Core/Render/Element/HtmlTag.php b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
index d00b593..3d4bec9 100644
--- a/core/lib/Drupal/Core/Render/Element/HtmlTag.php
+++ b/core/lib/Drupal/Core/Render/Element/HtmlTag.php
@@ -89,9 +89,9 @@ public static function preRenderHtmlTag($element) {
       $markup = SafeMarkup::format("<@tag@attributes>@value_prefix@value@value_suffix</@tag>\n", [
         '@tag' => $element['#tag'],
         '@attributes' => $attributes,
-        '@value_prefix' => $value_prefix,
-        '@value' => $element['#value'],
-        '@value_suffix' => $value_suffix,
+        '@value_prefix' => SafeMarkup::checkAdminXss($value_prefix),
+        '@value' => SafeMarkup::checkAdminXss($element['#value']),
+        '@value_suffix' => SafeMarkup::checkAdminXss($value_suffix),
       ]);
     }
     if (!empty($element['#noscript'])) {