Update to Drupal 8.0.1. For more information, see https://www.drupal.org/node/2627402

core/modules/views/src/Plugin/Menu/ViewsMenuLink.php

@@ -70,9 +70,7 @@ class ViewsMenuLink extends MenuLinkBase implements ContainerFactoryPluginInterf
    *   The view executable factory
    */
   public function __construct(array $configuration, $plugin_id, $plugin_definition, EntityManagerInterface $entity_manager, ViewExecutableFactory $view_executable_factory) {
-    $this->configuration = $configuration;
-    $this->pluginId = $plugin_id;
-    $this->pluginDefinition = $plugin_definition;
+    parent::__construct($configuration, $plugin_id, $plugin_definition);
 
     $this->entityManager = $entity_manager;
     $this->viewExecutableFactory = $view_executable_factory;

core/modules/views/src/Plugin/views/PluginBase.php

@@ -250,7 +250,7 @@ abstract class PluginBase extends ComponentPluginBase implements ContainerFactor
 
         $this->unpackOptions($storage[$key], $value, isset($definition[$key]['contains']) ? $definition[$key]['contains'] : array(), $all, FALSE);
       }
-      else if ($all || !empty($definition[$key])) {
+      elseif ($all || !empty($definition[$key])) {
         $storage[$key] = $value;
       }
     }

core/modules/views/src/Plugin/views/display/EntityReference.php

@@ -150,7 +150,7 @@ class EntityReference extends DisplayPluginBase {
 
     // Add an IN condition for validation.
     if (!empty($options['ids'])) {
-      $this->view->query->addWhere(0, $id_field, $options['ids']);
+      $this->view->query->addWhere(0, $id_field, $options['ids'], 'IN');
     }
 
     $this->view->setItemsPerPage($options['limit']);

core/modules/views/src/Plugin/views/field/FieldPluginBase.php

@@ -1248,10 +1248,7 @@ abstract class FieldPluginBase extends HandlerBase implements FieldHandlerInterf
     if ($alter['phase'] == static::RENDER_TEXT_PHASE_EMPTY && $no_rewrite_for_empty) {
       // If we got here then $alter contains the value of "No results text"
       // and so there is nothing left to do.
-      if ($value_is_safe) {
-        $value = ViewsRenderPipelineMarkup::create($value);
-      }
-      return $value;
+      return ViewsRenderPipelineMarkup::create($value);
     }
 
     if (!empty($alter['strip_tags'])) {

core/modules/views/src/Plugin/views/filter/InOperator.php

@@ -349,7 +349,7 @@ class InOperator extends FilterPluginBase {
       if (count($this->value) == 0) {
         $values = $this->t('Unknown');
       }
-      else if (count($this->value) == 1) {
+      elseif (count($this->value) == 1) {
         // If any, use the 'single' short name of the operator instead.
         if (isset($info[$this->operator]['short_single'])) {
           $operator = $info[$this->operator]['short_single'];

core/modules/views/src/Plugin/views/query/Sql.php

@@ -805,9 +805,9 @@ class Sql extends QueryPluginBase {
    *   complex options, it is an array. The meaning of each element in the array is
    *   dependent on the $operator.
    * @param $operator
-   *   The comparison operator, such as =, <, or >=. It also accepts more complex
-   *   options such as IN, LIKE, or BETWEEN. Defaults to IN if $value is an array
-   *   = otherwise. If $field is a string you have to use 'formula' here.
+   *   The comparison operator, such as =, <, or >=. It also accepts more
+   *   complex options such as IN, LIKE, LIKE BINARY, or BETWEEN. Defaults to =.
+   *   If $field is a string you have to use 'formula' here.
    *
    * The $field, $value and $operator arguments can also be passed in with a
    * single DatabaseCondition object, like this:

core/modules/views/src/Tests/ModuleTest.php

@@ -15,6 +15,7 @@ namespace Drupal\views\Tests;
 use Drupal\views\Plugin\views\filter\Standard;
 use Drupal\views\Views;
 use Drupal\Component\Utility\SafeMarkup;
+use Drupal\Component\Render\FormattableMarkup;
 
 class ModuleTest extends ViewKernelTestBase {
 
@@ -54,7 +55,7 @@ class ModuleTest extends ViewKernelTestBase {
         'field' => $this->randomMachineName(),
       );
       $handler = $this->container->get('plugin.manager.views.' . $type)->getHandler($item);
-      $this->assertEqual('Drupal\views\Plugin\views\\' . $type . '\Broken', get_class($handler), t('Make sure that a broken handler of type: @type are created', array('@type' => $type)));
+      $this->assertEqual('Drupal\views\Plugin\views\\' . $type . '\Broken', get_class($handler), new FormattableMarkup('Make sure that a broken handler of type: @type is created.', ['@type' => $type]));
     }
 
     $views_data = $this->viewsData();

core/modules/views/src/Tests/ViewsEscapingTest.php

@@ -19,7 +19,7 @@ class ViewsEscapingTest extends ViewTestBase {
    *
    * @var array
    */
-  public static $testViews = array('test_page_display');
+  public static $testViews = array('test_page_display', 'test_field_header');
 
   /**
    * Used by WebTestBase::setup()
@@ -69,4 +69,21 @@ class ViewsEscapingTest extends ViewTestBase {
     $this->assertNoEscaped('<');
   }
 
+  /**
+   * Tests for incorrectly escaped markup in a header label on a display table.
+   */
+  public function testViewsFieldHeaderEscaping() {
+    // Test with a field header label having an html element wrapper.
+    $this->drupalGet('test_field_header');
+
+    // Assert that there are no escaped '<'s characters.
+    $this->assertNoEscaped('<');
+
+    // Test with a field header label having a XSS test as a wrapper.
+    $this->drupalGet('test_field_header_xss');
+
+    // Assert that XSS test is escaped.
+    $this->assertNoRaw('<script>alert("XSS")</script>', 'Harmful tags are escaped in header label.');
+  }
+
 }

core/modules/views/src/ViewExecutable.php

@@ -614,10 +614,10 @@ class ViewExecutable implements \Serializable {
   /**
    * Sets whether or not AJAX should be used.
    *
-   * If AJAX is used, paging, tablesorting and exposed filters will be fetched
+   * If AJAX is used, paging, table sorting, and exposed filters will be fetched
    * via an AJAX call rather than a page refresh.
    *
-   * @param bool $use_ajax
+   * @param bool $ajax_enabled
    *   TRUE if AJAX should be used, FALSE otherwise.
    */
   public function setAjaxEnabled($ajax_enabled) {