diff --git a/core/modules/link/src/Plugin/Field/FieldWidget/LinkWidget.php b/core/modules/link/src/Plugin/Field/FieldWidget/LinkWidget.php
index aac5378..95e11c3 100644
--- a/core/modules/link/src/Plugin/Field/FieldWidget/LinkWidget.php
+++ b/core/modules/link/src/Plugin/Field/FieldWidget/LinkWidget.php
@@ -55,7 +55,7 @@ protected static function getUriAsDisplayableString($uri) {
       $uri_reference = explode(':', $uri, 2)[1];
       // @todo Present the leading slash to the user and hence delete the next
       //   block in https://www.drupal.org/node/2418017. There, we will also
-      //   remove the ability to enter '<front>' or '<none>', we will expect '/'
+      //   remove the ability to enter '<front>' or '<none>', we'll expect '/'
       //   and '' instead respectively.
       $path = parse_url($uri, PHP_URL_PATH);
       if ($path === '/') {
diff --git a/core/modules/views/views.theme.inc b/core/modules/views/views.theme.inc
index 69f6f96..8e7af8d 100644
--- a/core/modules/views/views.theme.inc
+++ b/core/modules/views/views.theme.inc
@@ -406,7 +406,7 @@ function template_preprocess_views_view_summary_unformatted(&$variables) {
       $base_path = $argument->options['summary_options']['base_path'];
       $tokens = $this->getArgumentsTokens();
       $base_path = $this->viewsTokenReplace($base_path, $tokens);
-      $url = Url::fromUri('/' . $base_path);
+      $url = Url::fromUserInput('/' . $base_path);
     }
     else {
       $url = $view->getUrl($args)->setOptions($url_options);
diff --git a/core/tests/Drupal/Tests/Core/UrlTest.php b/core/tests/Drupal/Tests/Core/UrlTest.php
index b0d639b..56ea66f 100644
--- a/core/tests/Drupal/Tests/Core/UrlTest.php
+++ b/core/tests/Drupal/Tests/Core/UrlTest.php
@@ -171,6 +171,79 @@ public function testFromRouteFront() {
   }
 
   /**
+   * Tests the fromUserInput method with valid paths.
+   *
+   * @covers ::fromUserInput
+   * @dataProvider providerFromUserInput
+   */
+  public function testFromUserInput($path) {
+    $url = Url::fromUserInput($path);
+
+    $this->assertInstanceOf('Drupal\Core\Url', $url);
+  }
+
+  /**
+   * Data provider for testFromValidUserInput().
+   */
+  public function providerFromUserInput() {
+    return [
+      // Normal paths with a leading slash.
+      ['/foo'],
+      ['/f/oo'],
+      // Fragments with and without leading slashes.
+      ['#foo'],
+      ['/#foo'],
+      ['/f#oo'],
+      // Query strings with and without leading slashes.
+      ['?foo'],
+      ['/?foo'],
+      ['/f?oo'],
+      // Paths with various token formats and leading slashes.
+      ['/[foo]'],
+      ['/%foo'],
+      ['/{{ foo }}'],
+      // Disallowed characters in the authority (host name) that are valid
+      // elsewhere in the path, with leading slashes.
+      ['/(:;2&+h^'],
+      ['/AKI@&hO@'],
+    ];
+  }
+
+  /**
+   * Tests the fromUserInput method with invalid paths.
+   *
+   * @covers ::fromUserInput
+   * @expectedException \InvalidArgumentException
+   * @dataProvider providerFromInvalidUserInput
+   */
+  public function testFromInvalidUserInput($path) {
+    $url = Url::fromUserInput($path);
+  }
+
+  /**
+   * Data provider for testFromInvalidUserInput().
+   */
+  public function providerFromInvalidUserInput() {
+    return [
+      // Normal paths without a leading slash.
+      ['foo'],
+      ['f/oo'],
+      // Path without a leading slash containing a fragment.
+      ['f#oo'],
+      // Path without a leading slash containing a query string.
+      ['f?oo'],
+      // Paths with various token formats but no leading slash.
+      ['[foo]'],
+      ['%foo'],
+      ['{{ foo }}'],
+      // Disallowed characters in the authority (host name) that are valid
+      // elsewhere in the path.
+      ['(:;2&+h^'],
+      ['AKI@&hO@'],
+    ];
+  }
+
+  /**
    * Tests fromUri() method with a user-entered path not matching any route.
    *
    * @covers ::fromUri
@@ -596,9 +669,9 @@ public function providerTestToUriStringForEntity() {
    *
    * @covers ::toUriString
    *
-   * @dataProvider providerTestToUriStringForUserPath
+   * @dataProvider providerTestToUriStringForInternalScheme
    */
-  public function testToUriStringForUserPath($uri, $options, $uri_string) {
+  public function testToUriStringForInternalScheme($uri, $options, $uri_string) {
     $url = Url::fromRoute('entity.test_entity.canonical', ['test_entity' => '1']);
     $this->pathValidator->expects($this->any())
       ->method('getUrlIfValidWithoutAccessCheck')
@@ -614,7 +687,7 @@ public function testToUriStringForUserPath($uri, $options, $uri_string) {
   /**
    * Data provider for testing internal URIs.
    */
-  public function providerTestToUriStringForUserPath() {
+  public function providerTestToUriStringForInternalScheme() {
     return [
       // The four permutations of a regular path.
       ['internal:/test-entity/1', [], 'route:entity.test_entity.canonical;test_entity=1'],
@@ -649,7 +722,7 @@ public function testToUriStringForRoute($uri, $options, $uri_string) {
   }
 
   /**
-   * Data provider for testing internal URIs
+   * Data provider for testing routed URIs.
    */
   public function providerTestToUriStringForRoute() {
     return [