diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/area/TokenizeAreaPluginBase.php b/core/modules/views/lib/Drupal/views/Plugin/views/area/TokenizeAreaPluginBase.php
index 6f0add5..61f1135 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/area/TokenizeAreaPluginBase.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/area/TokenizeAreaPluginBase.php
@@ -7,6 +7,8 @@
 
 namespace Drupal\views\Plugin\views\area;
 
+use Drupal\Component\Utility\String;
+
 /**
  * Tokenized base class for area handlers.
  *
@@ -79,7 +81,7 @@ public function tokenForm(&$form, &$form_state) {
         if (!empty($options[$type])) {
           $items = array();
           foreach ($options[$type] as $key => $value) {
-            $items[] = $key . ' == ' . $value;
+            $items[] = $key . ' == ' . String::checkPlain($value);
           }
           $form['tokens']['tokens'] = array(
             '#theme' => 'item_list',
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/display/DisplayPluginBase.php b/core/modules/views/lib/Drupal/views/Plugin/views/display/DisplayPluginBase.php
index 498fccd..4936ff9 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/display/DisplayPluginBase.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/display/DisplayPluginBase.php
@@ -12,6 +12,7 @@
 use Drupal\views\ViewExecutable;
 use Drupal\views\Plugin\views\PluginBase;
 use Drupal\views\Views;
+use Drupal\Component\Utility\String;
 
 /**
  * @defgroup views_display_plugins Views display plugins
@@ -963,6 +964,7 @@ public function getFieldLabels($groupable_only = FALSE) {
       if (!empty($handler->options['relationship']) && !empty($relationships[$handler->options['relationship']])) {
         $options[$id] = '(' . $relationships[$handler->options['relationship']] . ') ' . $options[$id];
       }
+      $options[$id] = String::checkPlain($label);
     }
     return $options;
   }
diff --git a/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php b/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
index 25c28a8..ae58801 100644
--- a/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
+++ b/core/modules/views/lib/Drupal/views/Plugin/views/field/FieldPluginBase.php
@@ -11,6 +11,7 @@
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
 use Drupal\views\ResultRow;
 use Drupal\views\ViewExecutable;
+use Drupal\Component\Utility\String;
 
 /**
  * @defgroup views_field_handlers Views field handlers
@@ -868,7 +869,7 @@ public function buildOptionsForm(&$form, &$form_state) {
           if (!empty($options[$type])) {
             $items = array();
             foreach ($options[$type] as $key => $value) {
-              $items[] = $key . ' == ' . $value;
+              $items[] = $key . ' == ' . String::checkPlain($value);
             }
             $item_list = array(
               '#theme' => 'item_list',
diff --git a/core/modules/views_ui/js/views-admin.js b/core/modules/views_ui/js/views-admin.js
index b09cbeb..7f9eb86 100644
--- a/core/modules/views_ui/js/views-admin.js
+++ b/core/modules/views_ui/js/views-admin.js
@@ -212,7 +212,7 @@ Drupal.viewsUi.AddItemForm.prototype.handleCheck = function (event) {
  */
 Drupal.viewsUi.AddItemForm.prototype.refreshCheckedItems = function () {
   // Perhaps we should precache the text div, too.
-  this.$selected_div.find('.views-selected-options').html(this.checkedItems.join(', '));
+  this.$selected_div.find('.views-selected-options').html(Drupal.checkPlain(this.checkedItems.join(', ')));
   Drupal.viewsUi.resizeModal('', true);
 };
 
diff --git a/core/modules/views_ui/lib/Drupal/views_ui/ViewListController.php b/core/modules/views_ui/lib/Drupal/views_ui/ViewListController.php
index d2029fe..1edf7f8 100644
--- a/core/modules/views_ui/lib/Drupal/views_ui/ViewListController.php
+++ b/core/modules/views_ui/lib/Drupal/views_ui/ViewListController.php
@@ -100,7 +100,7 @@ public function buildRow(EntityInterface $view) {
           ),
           'class' => array('views-table-filter-text-source'),
         ),
-        'tag' => $view->get('tag'),
+        'tag' => String::checkPlain($view->get('tag')),
         'path' => implode(', ', $this->getDisplayPaths($view)),
         'operations' => $row['operations'],
       ),
diff --git a/core/modules/views_ui/views_ui.theme.inc b/core/modules/views_ui/views_ui.theme.inc
index 8ae5733..e109ee1 100644
--- a/core/modules/views_ui/views_ui.theme.inc
+++ b/core/modules/views_ui/views_ui.theme.inc
@@ -6,6 +6,7 @@
  */
 
 use Drupal\Core\Template\Attribute;
+use Drupal\Component\Utility\String;
 
 /**
  * Prepares variables for Views UI display tab setting templates.
@@ -90,7 +91,7 @@ function template_preprocess_views_ui_display_tab_bucket(&$variables) {
  *   - view: The View object.
  */
 function template_preprocess_views_ui_view_info(&$variables) {
-  $variables['title'] = $variables['view']->label();
+  $variables['title'] = String::checkPlain($variables['view']->label());
   $variables['displays'] = empty($variables['displays']) ? t('None') : format_plural(count($variables['displays']), 'Display', 'Displays') . ': ' . '<em>' . implode(', ', $variables['displays']) . '</em>';
 }