diff --git a/core/modules/views_ui/src/ViewEditForm.php b/core/modules/views_ui/src/ViewEditForm.php
index f27776c..eae0677 100644
--- a/core/modules/views_ui/src/ViewEditForm.php
+++ b/core/modules/views_ui/src/ViewEditForm.php
@@ -1056,13 +1056,13 @@ public function getFormBucket(ViewUI $view, $type, $display) {
         continue;
       }
 
-      $field_name = $handler->adminLabel(TRUE);
+      $field_name = Xss::filterAdmin($handler->adminLabel(TRUE));
       if (!empty($field['relationship']) && !empty($relationships[$field['relationship']])) {
         $field_name = '(' . $relationships[$field['relationship']] . ') ' . $field_name;
       }
 
       $description = Xss::filterAdmin($handler->adminSummary());
-      $link_text = $field_name . (empty($description) ? '' : " ($description)");
+      $link_text = Html::decodeEntities($field_name . (empty($description) ? '' : " ($description)"));
       $link_attributes = array('class' => array('views-ajax-link'));
       if (!empty($field['exclude'])) {
         $link_attributes['class'][] = 'views-field-excluded';
diff --git a/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml b/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml
index d45d509..8bf4ebc 100644
--- a/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml
+++ b/core/modules/views_ui/tests/modules/views_ui_test/config/install/views.view.sa_contrib_2013_035.yml
@@ -165,7 +165,49 @@ display:
           plugin_id: field
           entity_type: node
           entity_field: title
-      filters: {  }
+      filters:
+        changed:
+          id: changed
+          table: node_field_data
+          field: changed
+          relationship: none
+          group_type: group
+          admin_label: '<script>alert("XSS");</script>'
+          operator: '>'
+          value:
+            min: ''
+            max: ''
+            value: '-10 days'
+            type: offset
+          group: 1
+          exposed: false
+          expose:
+            operator_id: ''
+            label: ''
+            description: ''
+            use_operator: false
+            operator: ''
+            identifier: ''
+            required: false
+            remember: false
+            multiple: false
+            remember_roles:
+              authenticated: authenticated
+          is_grouped: false
+          group_info:
+            label: ''
+            description: ''
+            identifier: ''
+            optional: true
+            widget: select
+            multiple: false
+            remember: false
+            default_group: All
+            default_group_multiple: {  }
+            group_items: {  }
+          entity_type: node
+          entity_field: changed
+          plugin_id: date
       sorts: {  }
       header:
         area: