diff --git a/core/modules/views_ui/src/Tests/DisplayPathTest.php b/core/modules/views_ui/src/Tests/DisplayPathTest.php
index cc6826f..3f1ba86 100644
--- a/core/modules/views_ui/src/Tests/DisplayPathTest.php
+++ b/core/modules/views_ui/src/Tests/DisplayPathTest.php
@@ -33,6 +33,7 @@ class DisplayPathTest extends UITestBase {
   public function testPathUI() {
     $this->doBasicPathUITest();
     $this->doAdvancedPathsValidationTest();
+    $this->doPathXssFilterTest();
   }
 
   /**
@@ -58,6 +59,21 @@ protected function doBasicPathUITest() {
   }
 
   /**
+   * Tests that View paths are properly filtered for XSS.
+   */
+  public function doPathXssFilterTest() {
+    global $base_path;
+    $this->drupalGet('admin/structure/views/view/test_view');
+    $this->drupalPostForm(NULL, array(), 'Add Page');
+    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_2/path', array('path' => '<object>malformed_path</object>'), t('Apply'));
+    $this->drupalPostForm(NULL, array(), 'Add Page');
+    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_3/path', array('path' => '<script>alert("hello");</script>'), t('Apply'));
+    $this->drupalPostForm('admin/structure/views/view/test_view', array(), t('Save'));
+    $this->drupalGet('admin/structure/views');
+    $this->assertRaw('<a href="' . $base_path . '%3Cobject%3Emalformed_path%3C/object%3E">/&lt;object&gt;malformed_path&lt;/object&gt;</a>, <a href="' . $base_path . '%3Cscript%3Ealert%28%22hello%22%29%3B%3C/script%3E">/&lt;script&gt;alert(&quot;hello&quot;);&lt;/script&gt;</a></td>', 'Two paths were filtered for XSS.');
+  }
+
+  /**
    * Tests a couple of invalid path patterns.
    */
   protected function doAdvancedPathsValidationTest() {
diff --git a/core/modules/views_ui/src/ViewListBuilder.php b/core/modules/views_ui/src/ViewListBuilder.php
index cc11d8e..8e199c2 100644
--- a/core/modules/views_ui/src/ViewListBuilder.php
+++ b/core/modules/views_ui/src/ViewListBuilder.php
@@ -81,12 +81,6 @@ public function load() {
    */
   public function buildRow(EntityInterface $view) {
     $row = parent::buildRow($view);
-    $display_paths = '';
-    $separator = '';
-    foreach ($this->getDisplayPaths($view) as $display_path) {
-      $display_paths .= $separator . SafeMarkup::escape($display_path);
-      $separator = ', ';
-    }
     return array(
       'data' => array(
         'view_name' => array(
@@ -103,7 +97,9 @@ public function buildRow(EntityInterface $view) {
           'class' => array('views-table-filter-text-source'),
         ),
         'tag' => $view->get('tag'),
-        'path' => SafeMarkup::set($display_paths),
+        'path' => array(
+          'data' => array('#markup' => implode(', ', $this->getDisplayPaths($view))),
+        ),
         'operations' => $row['operations'],
       ),
       'title' => $this->t('Machine name: @name', array('@name' => $view->id())),
diff --git a/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php b/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
index a42a879..432e259 100644
--- a/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
+++ b/core/modules/views_ui/tests/src/Unit/ViewListBuilderTest.php
@@ -89,7 +89,7 @@ public function testBuildRowEntityList() {
     );
     $page_display->expects($this->any())
       ->method('getPath')
-      ->will($this->returnValue('test_page'));
+      ->will($this->onConsecutiveCalls($this->returnValue('test_page'), $this->returnValue('<object>malformed_path</object>')));
 
     $embed_display = $this->getMock('Drupal\views\Plugin\views\display\Embed', array('initDisplay'),
       array(array(), 'default', $display_manager->getDefinition('embed'))
@@ -106,6 +106,11 @@ public function testBuildRowEntityList() {
     $values['display']['page_1']['display_plugin'] = 'page';
     $values['display']['page_1']['display_options']['path'] = 'test_page';
 
+    $values['display']['page_2']['id'] = 'page_2';
+    $values['display']['page_2']['display_title'] = 'Page 2';
+    $values['display']['page_2']['display_plugin'] = 'page';
+    $values['display']['page_2']['display_options']['path'] = '<object>malformed_path</object>';
+
     $values['display']['embed']['id'] = 'embed';
     $values['display']['embed']['display_title'] = 'Embedded';
     $values['display']['embed']['display_plugin'] = 'embed';
@@ -115,6 +120,7 @@ public function testBuildRowEntityList() {
       ->will($this->returnValueMap(array(
         array('default', $values['display']['default'], $default_display),
         array('page', $values['display']['page_1'], $page_display),
+        array('page', $values['display']['page_2'], $page_display),
         array('embed', $values['display']['embed'], $embed_display),
       )));
 
@@ -141,8 +147,13 @@ public function testBuildRowEntityList() {
 
     $row = $view_list_builder->buildRow($view);
 
-    $this->assertEquals(array('Embed admin label', 'Page admin label'), $row['data']['view_name']['data']['#displays'], 'Wrong displays got added to view list');
-    $this->assertEquals($row['data']['path'], '/test_page', 'The path of the page display is not added.');
+    $expected_displays = array(
+      'Embed admin label',
+      'Page admin label',
+      'Page admin label',
+    );
+    $this->assertEquals($expected_displays, $row['data']['view_name']['data']['#displays']);
+    $this->assertEquals('/test_page, /&lt;object&gt;malformed_path&lt;/object&gt;', $row['data']['path']['data']['#markup']);
   }
 
 }