diff --git a/core/modules/views/src/Plugin/views/PluginBase.php b/core/modules/views/src/Plugin/views/PluginBase.php
index 50e7d85..95ed826 100644
--- a/core/modules/views/src/Plugin/views/PluginBase.php
+++ b/core/modules/views/src/Plugin/views/PluginBase.php
@@ -334,8 +334,8 @@ public function globalTokenReplace($string = '', array $options = array()) {
   }
 
   /**
-   * Replaces Views' tokens in a given string. It is the responsibility of the
-   * calling function to ensure $text and $token replacements are sanitized.
+   * Replaces Views' tokens in a given string. The resulting string will be
+   * sanitized with Xss::filterAdmin.
    *
    * This used to be a simple strtr() scattered throughout the code. Some Views
    * tokens, such as arguments (e.g.: %1 or !1), still use the old format so we
@@ -349,7 +349,11 @@ public function globalTokenReplace($string = '', array $options = array()) {
    * @return String
    */
   protected function viewsTokenReplace($text, $tokens) {
-    if (empty($tokens) || empty($text)) {
+    if (empty($text)) {
+      // No need to run Xss::filterAdmin on an empty string.
+      return '';
+    }
+    if (empty($tokens)) {
       return Xss::filterAdmin($text);
     }