Index: modules/block/block.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.admin.inc,v
retrieving revision 1.76
diff -u -p -r1.76 block.admin.inc
--- modules/block/block.admin.inc	28 Mar 2010 11:16:29 -0000	1.76
+++ modules/block/block.admin.inc	23 Apr 2010 01:46:03 -0000
@@ -313,7 +313,7 @@ function block_admin_configure($form, &$
     ':module' => $block->module,
     ':delta' => $block->delta,
   ))->fetchCol();
-  $role_options = db_query('SELECT rid, name FROM {role} ORDER BY name')->fetchAllKeyed();
+  $role_options = array_map('check_plain', user_roles());
   $form['visibility']['role'] = array(
     '#type' => 'fieldset',
     '#title' => t('Roles'),
Index: modules/filter/filter.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.admin.inc,v
retrieving revision 1.59
diff -u -p -r1.59 filter.admin.inc
--- modules/filter/filter.admin.inc	13 Apr 2010 15:23:03 -0000	1.59
+++ modules/filter/filter.admin.inc	23 Apr 2010 01:46:04 -0000
@@ -28,7 +28,7 @@ function filter_admin_overview($form) {
     }
     else {
       $form['formats'][$id]['name'] = array('#markup' => check_plain($format->name));
-      $roles = filter_get_roles_by_format($format);
+      $roles = array_map('check_plain', filter_get_roles_by_format($format));
       $roles_markup = $roles ? implode(', ', $roles) : t('No roles may use this format');
     }
     $form['formats'][$id]['roles'] = array('#markup' => $roles_markup);
@@ -127,7 +127,7 @@ function filter_admin_format_form($form,
   $form['roles'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Roles'),
-    '#options' => user_roles(),
+    '#options' => array_map('check_plain', user_roles()),
     '#disabled' => $is_fallback,
   );
   if ($is_fallback) {
Index: modules/user/user.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.admin.inc,v
retrieving revision 1.106
diff -u -p -r1.106 user.admin.inc
--- modules/user/user.admin.inc	13 Apr 2010 15:23:03 -0000	1.106
+++ modules/user/user.admin.inc	23 Apr 2010 01:46:04 -0000
@@ -188,7 +188,7 @@ function user_admin_account() {
   $destination = drupal_get_destination();
 
   $status = array(t('blocked'), t('active'));
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   $accounts = array();
   foreach ($result as $account) {
     $users_roles = array();
@@ -705,7 +705,7 @@ function user_admin_permissions($form, $
   // Have to build checkboxes here after checkbox arrays are built
   foreach ($role_names as $rid => $name) {
     $form['checkboxes'][$rid] = array('#type' => 'checkboxes', '#options' => $options, '#default_value' => isset($status[$rid]) ? $status[$rid] : array());
-    $form['role_names'][$rid] = array('#markup' => $name, '#tree' => TRUE);
+    $form['role_names'][$rid] = array('#markup' => check_plain($name), '#tree' => TRUE);
   }
 
   $form['actions'] = array('#type' => 'container', '#attributes' => array('class' => array('form-actions')));
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.1160
diff -u -p -r1.1160 user.module
--- modules/user/user.module	20 Apr 2010 08:25:30 -0000	1.1160
+++ modules/user/user.module	23 Apr 2010 01:46:05 -0000
@@ -975,7 +975,7 @@ function user_account_form(&$form, &$for
     '#access' => $admin,
   );
 
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   // The disabled checkbox subelement for the 'authenticated user' role
   // must be generated separately and added to the checkboxes element,
   // because of a limitation in Form API not supporting a single disabled