diff --git a/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php b/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php
index 9cf0988..e3ad5ad 100644
--- a/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php
+++ b/core/modules/views/src/Plugin/views/area/TokenizeAreaPluginBase.php
@@ -8,6 +8,7 @@
 namespace Drupal\views\Plugin\views\area;
 
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\Component\Utility\String;
 
 /**
  * Tokenized base class for area handlers.
@@ -81,7 +82,7 @@ public function tokenForm(&$form, FormStateInterface $form_state) {
         if (!empty($options[$type])) {
           $items = array();
           foreach ($options[$type] as $key => $value) {
-            $items[] = $key . ' == ' . $value;
+            $items[] = $key . ' == ' . String::checkPlain($value);
           }
           $form['tokens']['tokens'] = array(
             '#theme' => 'item_list',
diff --git a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
index 31f30bc..d2e256a 100644
--- a/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
+++ b/core/modules/views/src/Plugin/views/display/DisplayPluginBase.php
@@ -981,6 +981,7 @@ public function getFieldLabels($groupable_only = FALSE) {
       if (!empty($handler->options['relationship']) && !empty($relationships[$handler->options['relationship']])) {
         $options[$id] = '(' . $relationships[$handler->options['relationship']] . ') ' . $options[$id];
       }
+      $options[$id] = String::checkPlain($label);
     }
     return $options;
   }
diff --git a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php
index d4e04f9..21a0619 100644
--- a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php
+++ b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php
@@ -17,6 +17,7 @@
 use Drupal\views\Plugin\views\display\DisplayPluginBase;
 use Drupal\views\ResultRow;
 use Drupal\views\ViewExecutable;
+use Drupal\Component\Utility\String;
 
 /**
  * @defgroup views_field_handlers Views field handler plugins
@@ -886,7 +887,7 @@ public function buildOptionsForm(&$form, FormStateInterface $form_state) {
           if (!empty($options[$type])) {
             $items = array();
             foreach ($options[$type] as $key => $value) {
-              $items[] = $key . ' == ' . $value;
+              $items[] = $key . ' == ' . String::checkPlain($value);
             }
             $item_list = array(
               '#theme' => 'item_list',
diff --git a/core/modules/views_ui/js/views-admin.js b/core/modules/views_ui/js/views-admin.js
index 2d197a9..ae5cda1 100644
--- a/core/modules/views_ui/js/views-admin.js
+++ b/core/modules/views_ui/js/views-admin.js
@@ -221,7 +221,7 @@
   Drupal.viewsUi.AddItemForm.prototype.refreshCheckedItems = function () {
     // Perhaps we should precache the text div, too.
     this.$selected_div.find('.views-selected-options')
-      .html(this.checkedItems.join(', '))
+      .html(Drupal.checkPlain(this.checkedItems.join(', ')))
       .trigger('dialogContentResize');
   };
 
diff --git a/core/modules/views_ui/src/ViewListBuilder.php b/core/modules/views_ui/src/ViewListBuilder.php
index 7321712..4883fd1 100644
--- a/core/modules/views_ui/src/ViewListBuilder.php
+++ b/core/modules/views_ui/src/ViewListBuilder.php
@@ -102,7 +102,7 @@ public function buildRow(EntityInterface $view) {
           ),
           'class' => array('views-table-filter-text-source'),
         ),
-        'tag' => $view->get('tag'),
+        'tag' => String::checkPlain($view->get('tag')),
         'path' => SafeMarkup::set($display_paths),
         'operations' => $row['operations'],
       ),
diff --git a/core/modules/views_ui/views_ui.theme.inc b/core/modules/views_ui/views_ui.theme.inc
index eb8c34f..a7d2adc 100644
--- a/core/modules/views_ui/views_ui.theme.inc
+++ b/core/modules/views_ui/views_ui.theme.inc
@@ -8,6 +8,7 @@
 use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Render\Element;
 use Drupal\Core\Template\Attribute;
+use Drupal\Component\Utility\String;
 
 /**
  * Prepares variables for Views UI display tab setting templates.
@@ -88,7 +89,7 @@ function template_preprocess_views_ui_display_tab_bucket(&$variables) {
  *   - view: The View object.
  */
 function template_preprocess_views_ui_view_info(&$variables) {
-  $variables['title'] = $variables['view']->label();
+  $variables['title'] = String::checkPlain(['view']->label());
   if (empty($variables['displays'])) {
     $displays = t('None');
   }