diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 09ed72f..9c1158b 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -232,6 +232,21 @@ define('CHECK_PLAIN', 0);
 define('PASS_THROUGH', -1);
 
 /**
+ * Flag used to indicate that text is not sanitized, so run
+ * filter_xss().
+ *
+ * @see drupal_set_message()
+ */
+define('FILTER_XSS', 0);
+
+/**
+ * Flag used to indicate that text is not sanitized, so run filter_xss_admin().
+ *
+ * @see drupal_set_message()
+ */
+define('FILTER_XSS_ADMIN', 1);
+
+/**
  * Signals that the registry lookup cache should be reset.
  */
 define('REGISTRY_RESET_LOOKUP_CACHE', 1);
@@ -2027,6 +2042,14 @@ function watchdog($type, $message, $variables = array(), $severity = WATCHDOG_NO
  * @param bool $repeat
  *   (optional) If this is FALSE and the message is already set, then the
  *   message won't be repeated. Defaults to TRUE.
+ * @param string $output
+ *   (optional) Option to apply sanitisation to $message output. Supported
+ *   values are:
+ *   - CHECK_PLAIN: check_plain()
+ *   - FILTER_XSS: filter_xss()
+ *   - FILTER_XSS_ADMIN: filter_xss_admin()
+ *   - PASS_THROUGH: no sanitisation performed.
+ *   Defaults to FILTER_XSS_ADMIN.
  *
  * @return array|null
  *   A multidimensional array with keys corresponding to the set message types.
@@ -2036,8 +2059,25 @@ function watchdog($type, $message, $variables = array(), $severity = WATCHDOG_NO
  * @see drupal_get_messages()
  * @see theme_status_messages()
  */
-function drupal_set_message($message = NULL, $type = 'status', $repeat = TRUE) {
+function drupal_set_message($message = NULL, $type = 'status', $repeat = TRUE, $output = FILTER_XSS_ADMIN) {
   if ($message || $message === '0' || $message === 0) {
+    if ($output !== PASS_THROUGH) {
+      switch ($output) {
+        case CHECK_PLAIN:
+          $message = check_plain($message);
+          break;
+
+        case FILTER_XSS:
+          $message = filter_xss($message);
+          break;
+
+        case FILTER_XSS_ADMIN:
+        default:
+          $message = FILTER_XSS_ADMIN($message);
+          break;
+      }
+    }
+
     if (!isset($_SESSION['messages'][$type])) {
       $_SESSION['messages'][$type] = array();
     }