Security update

- Fixes Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069
- Issue #2564205: Decode html entities for views_ajax calls: Decode entities for view arguments
- It's possible to alter view refresh command output
- Views settings are checked before processing

The release fixes Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

• Fixes Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066

Fixes: Better field descriptions - Critical - XSS - SA-CONTRIB-2017-064

Fixes: session_cache - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065

Fixes: Relation - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-063

If it is intended that relation endpoints (from relation dummy field widget display) should be shown to certain role, view relations permission should be given to those roles.