diff --git a/core/modules/views_ui/src/Tests/XssTest.php b/core/modules/views_ui/src/Tests/XssTest.php
new file mode 100644
index 0000000..36c0069
--- /dev/null
+++ b/core/modules/views_ui/src/Tests/XssTest.php
@@ -0,0 +1,34 @@
+drupalGet('admin/structure/views');
+ $this->assertRaw('<script>alert("foo");</script>, <marquee>test</marquee>', 'The view tag is properly escaped.');
+
+ $this->drupalGet('admin/structure/views/view/sa_contrib_2013_035');
+ $this->assertRaw('<marquee>test</marquee>', 'Field admin label is properly escaped.');
+
+ $this->drupalGet('admin/structure/views/nojs/handler/sa_contrib_2013_035/page_1/header/area');
+ $this->assertRaw('[title] == <marquee>test</marquee>', 'Token label is properly escaped.');
+ $this->assertRaw('[title_1] == <script>alert("XSS")</script>', 'Token label is properly escaped.');
+ }
+
+}
diff --git a/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml b/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml
new file mode 100644
index 0000000..9d9d2c1
--- /dev/null
+++ b/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml
@@ -0,0 +1,254 @@
+uuid: 93005672-5b8a-4a7a-9342-6651552bb753
+langcode: en
+status: true
+dependencies:
+ module:
+ - node
+id: sa_contrib_2013_035
+label: SA_CONTRIB_2013_035
+module: views
+description: ''
+tag: ', '
+base_table: node
+base_field: nid
+core: 8.x
+display:
+ default:
+ display_plugin: default
+ id: default
+ display_title: Master
+ position: 0
+ provider: views
+ display_options:
+ access:
+ type: perm
+ options:
+ perm: 'access content'
+ provider: user
+ dependencies: { }
+ cache:
+ type: none
+ options: { }
+ provider: views
+ dependencies: { }
+ query:
+ type: views_query
+ options:
+ disable_sql_rewrite: false
+ distinct: false
+ replica: false
+ query_comment: false
+ query_tags: { }
+ provider: views
+ dependencies: { }
+ exposed_form:
+ type: basic
+ options:
+ submit_button: Apply
+ reset_button: false
+ reset_button_label: Reset
+ exposed_sorts_label: 'Sort by'
+ expose_sort_order: true
+ sort_asc_label: Asc
+ sort_desc_label: Desc
+ provider: views
+ dependencies: { }
+ pager:
+ type: full
+ options:
+ items_per_page: 10
+ offset: 0
+ id: 0
+ total_pages: null
+ expose:
+ items_per_page: false
+ items_per_page_label: 'Items per page'
+ items_per_page_options: '5, 10, 25, 50'
+ items_per_page_options_all: false
+ items_per_page_options_all_label: '- All -'
+ offset: false
+ offset_label: Offset
+ tags:
+ previous: '‹ previous'
+ next: 'next ›'
+ first: '« first'
+ last: 'last »'
+ quantity: 9
+ provider: views
+ dependencies: { }
+ style:
+ type: default
+ options:
+ grouping: { }
+ row_class: ''
+ default_row_class: true
+ uses_fields: false
+ provider: views
+ dependencies: { }
+ row:
+ type: fields
+ options:
+ inline: { }
+ separator: ''
+ hide_empty: false
+ default_field_elements: true
+ provider: views
+ dependencies: { }
+ fields:
+ title:
+ id: title
+ table: node_field_data
+ field: title
+ relationship: none
+ group_type: group
+ admin_label: ''
+ dependencies:
+ module:
+ - node
+ - node
+ - node
+ label: ''
+ exclude: false
+ alter:
+ alter_text: false
+ text: ''
+ make_link: false
+ path: ''
+ absolute: false
+ external: false
+ replace_spaces: false
+ path_case: none
+ trim_whitespace: false
+ alt: ''
+ rel: ''
+ link_class: ''
+ prefix: ''
+ suffix: ''
+ target: ''
+ nl2br: false
+ max_length: ''
+ word_boundary: false
+ ellipsis: false
+ more_link: false
+ more_link_text: ''
+ more_link_path: ''
+ strip_tags: false
+ trim: false
+ preserve_tags: ''
+ html: false
+ element_type: ''
+ element_class: ''
+ element_label_type: ''
+ element_label_class: ''
+ element_label_colon: false
+ element_wrapper_type: ''
+ element_wrapper_class: ''
+ element_default_classes: true
+ empty: ''
+ hide_empty: false
+ empty_zero: false
+ hide_alter_empty: true
+ link_to_node: 1
+ provider: node
+ title_1:
+ id: title_1
+ table: node_field_data
+ field: title
+ relationship: none
+ group_type: group
+ admin_label: ''
+ dependencies:
+ module:
+ - node
+ label: ''
+ exclude: false
+ alter:
+ alter_text: false
+ text: ''
+ make_link: false
+ path: ''
+ absolute: false
+ external: false
+ replace_spaces: false
+ path_case: none
+ trim_whitespace: false
+ alt: ''
+ rel: ''
+ link_class: ''
+ prefix: ''
+ suffix: ''
+ target: ''
+ nl2br: false
+ max_length: ''
+ word_boundary: true
+ ellipsis: true
+ more_link: false
+ more_link_text: ''
+ more_link_path: ''
+ strip_tags: false
+ trim: false
+ preserve_tags: ''
+ html: false
+ element_type: ''
+ element_class: ''
+ element_label_type: ''
+ element_label_class: ''
+ element_label_colon: false
+ element_wrapper_type: ''
+ element_wrapper_class: ''
+ element_default_classes: true
+ empty: ''
+ hide_empty: false
+ empty_zero: false
+ hide_alter_empty: true
+ link_to_node: true
+ plugin_id: node
+ provider: node
+ filters:
+ status:
+ value: true
+ table: node_field_data
+ field: status
+ provider: node
+ id: status
+ expose:
+ operator: ''
+ group: 1
+ sorts:
+ created:
+ id: created
+ table: node_field_data
+ field: created
+ order: DESC
+ relationship: none
+ group_type: group
+ admin_label: ''
+ dependencies: { }
+ exposed: false
+ expose:
+ label: ''
+ granularity: second
+ header:
+ area:
+ id: area
+ table: views
+ field: area
+ plugin_id: text
+ provider: views
+ footer: { }
+ empty: { }
+ relationships: { }
+ arguments: { }
+ field_langcode: '***LANGUAGE_language_content***'
+ field_langcode_add_to_query: null
+ title: ''
+ page_1:
+ display_plugin: page
+ id: page_1
+ display_title: Page
+ position: 2
+ provider: views
+ display_options:
+ field_langcode: '***LANGUAGE_language_content***'
+ field_langcode_add_to_query: null
+ path: foobar