diff -u b/core/includes/common.inc b/core/includes/common.inc
--- b/core/includes/common.inc
+++ b/core/includes/common.inc
@@ -2848,6 +2848,19 @@
 
   // Assume that if #theme is set it represents an implemented hook.
   $theme_is_implemented = isset($elements['#theme']);
+  // Check the elements for insecure HTML and pass through sanitization.
+  if (isset($elements)) {
+    $markup_keys = array(
+      '#description',
+      '#field_prefix',
+      '#field_suffix',
+    );
+    foreach ($markup_keys as $key) {
+      if (!empty($elements[$key]) && is_scalar($elements[$key])) {
+        $elements[$key] = SafeMarkup::checkAdminXss($elements[$key]);
+      }
+    }
+  }
 
   // Call the element's #theme function if it is set. Then any children of the
   // element have to be rendered there. If the internal #render_children
reverted:
--- b/core/includes/form.inc
+++ a/core/includes/form.inc
@@ -556,7 +556,7 @@
       $description_attributes['id'] = $element['#id'] . '--description';
     }
     $variables['description']['attributes'] = new Attribute($description_attributes);
+    $variables['description']['content'] = $element['#description'];
-    $variables['description']['content'] = &$element['#description'];
   }
 
   // Add label_display and label variables to template.
reverted:
--- b/core/includes/theme.inc
+++ a/core/includes/theme.inc
@@ -382,19 +382,6 @@
       drupal_render($preprocess_attached, TRUE);
     }
   }
-  // Check the elements for insecure HTML and pass through sanitization.
-  if (isset($variables['element'])) {
-    $markup_keys = array(
-      '#description',
-      '#field_prefix',
-      '#field_suffix',
-    );
-    foreach ($markup_keys as $key) {
-      if (!empty($variables['element'][$key]) && is_scalar($variables['element'][$key])) {
-        $variables['element'][$key] = SafeMarkup::checkAdminXss($variables['element'][$key]);
-      }
-    }
-  }
 
   // Generate the output using either a function or a template.
   $output = '';
reverted:
--- b/core/modules/locale/src/Form/ImportForm.php
+++ a/core/modules/locale/src/Form/ImportForm.php
@@ -103,22 +103,18 @@
       'file_validate_extensions' => array('po'),
       'file_validate_size' => array(file_upload_max_size()),
     );
-
-    $file_description = array(
-      '#theme' => 'file_upload_help',
-      '#description' => $this->t('A Gettext Portable Object file.'),
-      '#upload_validators' => $validators,
-    );
-
     $form['file'] = array(
       '#type' => 'file',
       '#title' => $this->t('Translation file'),
+      '#description' => array(
+        '#theme' => 'file_upload_help',
+        '#description' => $this->t('A Gettext Portable Object file.'),
+        '#upload_validators' => $validators,
+      ),
-      '#description' => drupal_render($file_description),
       '#size' => 50,
       '#upload_validators' => $validators,
       '#attributes' => array('class' => array('file-import-input')),
     );
-
     $form['langcode'] = array(
       '#type' => 'select',
       '#title' => $this->t('Language'),