Index: includes/xmlrpc.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/xmlrpc.inc,v
retrieving revision 1.69
diff -u -p -r1.69 xmlrpc.inc
--- includes/xmlrpc.inc	14 Aug 2010 03:15:01 -0000	1.69
+++ includes/xmlrpc.inc	15 Aug 2010 12:13:48 -0000
@@ -106,9 +106,7 @@ function xmlrpc_value_get_xml($xmlrpc_va
       return '<double>' . $xmlrpc_value->data . '</double>';
 
     case 'string':
-      // Note: we don't escape apostrophes because of the many blogging clients
-      // that don't support numerical entities (and XML in general) properly.
-      return '<string>' . htmlspecialchars($xmlrpc_value->data) . '</string>';
+      return '<string>' . check_plain($xmlrpc_value->data) . '</string>';
 
     case 'array':
       $return = '<array><data>' . "\n";
Index: modules/simpletest/tests/common.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/common.test,v
retrieving revision 1.121
diff -u -p -r1.121 common.test
--- modules/simpletest/tests/common.test	10 Aug 2010 01:00:42 -0000	1.121
+++ modules/simpletest/tests/common.test	15 Aug 2010 14:23:04 -0000
@@ -371,6 +371,34 @@ class CommonXssUnitTest extends DrupalUn
      $this->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\xC0barbaz"');
      $text = filter_xss("Fooÿñ");
      $this->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
+
+    // Validate invalid leading UTF-8 bytes.
+    $invalid = array_merge(
+      array_map('chr', range(hexdec('1'), hexdec('8'))),
+      array_map('chr', range(hexdec('B'), hexdec('C'))),
+      array_map('chr', range(hexdec('E'), hexdec('1F')))
+    );
+    $string = implode('', $invalid);
+    $this->assertFalse(drupal_validate_utf8($string), 'Characters #x1-#x8, #xB-#xC, #xE-#x1F are not valid.');
+
+    // Unicode characters #xC0-#xFF are actually allowed in XML, but
+    // misinterpreted by IE6.
+    // @see http://www.w3.org/TR/2000/REC-xml-20001006#NT-Char
+    // @see drupal_validate_utf8()
+    $invalid = array_merge(
+      $invalid,
+      array_map('chr', range(hexdec('C0'), hexdec('FF')))
+    );
+    $string = implode('', $invalid);
+    $this->assertFalse(drupal_validate_utf8($string), 'Characters #xC0-#xFF are not valid.');
+
+    // @todo chr() #fail
+    $invalid = array_merge(
+      $invalid,
+      array_map('chr', range(hexdec('D800'), hexdec('DFFF')))
+    );
+    $string = implode('', $invalid);
+    $this->assertFalse(drupal_validate_utf8($string), 'Characters #xD800-#xDFFF are not valid.');
   }
 
   /**