only in patch2:
unchanged:
--- a/core/modules/views_ui/src/Tests/DisplayPathTest.php
+++ b/core/modules/views_ui/src/Tests/DisplayPathTest.php
@@ -33,6 +33,7 @@ class DisplayPathTest extends UITestBase {
   public function testPathUI() {
     $this->doBasicPathUITest();
     $this->doAdvancedPathsValidationTest();
+    $this->doPathXssFilterTest();
   }
 
   /**
@@ -58,6 +59,20 @@ protected function doBasicPathUITest() {
   }
 
   /**
+   * Tests that View paths are properly filtered for XSS.
+   */
+  public function doPathXssFilterTest() {
+    $this->drupalGet('admin/structure/views/view/test_view');
+    $this->drupalPostForm(NULL, array(), 'Add Page');
+    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_1/path', array('path' => '<object>malformed_path</object>'), t('Apply'));
+    $this->drupalPostForm(NULL, array(), 'Add Page');
+    $this->drupalPostForm('admin/structure/views/nojs/display/test_view/page_2/path', array('path' => '<script>alert("hello");</script>'), t('Apply'));
+    $this->drupalPostForm('admin/structure/views/view/test_view', array(), t('Save'));
+    $this->drupalGet('admin/structure/views');
+    $this->assertRaw('<a href="/drupal8x/%3Cobject%3Emalformed_path%3C/object%3E">/&lt;object&gt;malformed_path&lt;/object&gt;</a>, <a href="/drupal8x/%3Cscript%3Ealert%28%22hello%22%29%3B%3C/script%3E">/&lt;script&gt;alert(&quot;hello&quot;);&lt;/script&gt;</a></td>', 'Two paths were filtered for XSS.');
+  }
+
+  /**
    * Tests a couple of invalid path patterns.
    */
   protected function doAdvancedPathsValidationTest() {