diff --git includes/common.inc includes/common.inc
index edbce37..1603e5b 100644
--- includes/common.inc
+++ includes/common.inc
@@ -1885,7 +1885,7 @@ function _format_date_callback(array $matches = NULL, $new_langcode = NULL) {
  */
 function format_username($account) {
   $name = !empty($account->name) ? $account->name : variable_get('anonymous', t('Anonymous'));
-  drupal_alter('username', $name, $account);
+  drupal_alter('username', check_plain($name), $account);
   return $name;
 }
 
diff --git includes/menu.inc includes/menu.inc
index 74c359c..2733d48 100644
--- includes/menu.inc
+++ includes/menu.inc
@@ -650,11 +650,10 @@ function _menu_item_localize(&$item, $map, $link_translate = FALSE) {
       else {
         $item['title'] = call_user_func_array($callback, menu_unserialize($item['title_arguments'], $map));
       }
-      // Avoid calling check_plain again on l() function.
-      if ($callback == 'check_plain') {
-        $item['localized_options']['html'] = TRUE;
-      }
     }
+    // Avoid calling check_plain again on l() function.  All title callbacks
+    // must return sanitized strings.
+    $item['localized_options']['html'] = TRUE;
   }
   elseif ($link_translate) {
     $item['title'] = $item['link_title'];
@@ -2181,7 +2180,9 @@ function menu_get_active_title() {
 
   foreach (array_reverse($active_trail) as $item) {
     if (!(bool)($item['type'] & MENU_IS_LOCAL_TASK)) {
-      return $item['title'];
+      // Text that is user-entered or not passed through a title callback
+      // will not have html set to TRUE.
+      return empty($item['localized_options']['html']) ? check_plain($item['title']) : $item['title'];
     }
   }
 }
diff --git includes/path.inc includes/path.inc
index 46757f7..a0172fc 100644
--- includes/path.inc
+++ includes/path.inc
@@ -293,7 +293,7 @@ function drupal_get_title() {
 
   // During a bootstrap, menu.inc is not included and thus we cannot provide a title.
   if (!isset($title) && function_exists('menu_get_active_title')) {
-    $title = check_plain(menu_get_active_title());
+    $title = menu_get_active_title();
   }
 
   return $title;
diff --git modules/aggregator/aggregator.module modules/aggregator/aggregator.module
index 7ccb270..4bf5381 100644
--- modules/aggregator/aggregator.module
+++ modules/aggregator/aggregator.module
@@ -279,7 +279,7 @@ function aggregator_menu() {
  *   An aggregator category title.
  */
 function _aggregator_category_title($category) {
-  return $category['title'];
+  return check_plain($category['title']);
 }
 
 /**
diff --git modules/dblog/dblog.test modules/dblog/dblog.test
index 7192d24..560f418 100644
--- modules/dblog/dblog.test
+++ modules/dblog/dblog.test
@@ -119,7 +119,7 @@ class DBLogTestCase extends DrupalWebTestCase {
    * @param integer $response HTTP response code.
    */
   private function verifyReports($response = 200) {
-    $quote = '&#039;';
+    $quote = "'";
 
     // View dblog help node.
     $this->drupalGet('admin/help/dblog');
diff --git modules/filter/filter.module modules/filter/filter.module
index d3ad23f..baf96d5 100644
--- modules/filter/filter.module
+++ modules/filter/filter.module
@@ -281,7 +281,7 @@ function filter_format_delete($format) {
  * Display a text format form title.
  */
 function filter_admin_format_title($format) {
-  return $format->name;
+  return check_plain($format->name);
 }
 
 /**
diff --git modules/menu/menu.module modules/menu/menu.module
index dc4f1f8..89d19c2 100644
--- modules/menu/menu.module
+++ modules/menu/menu.module
@@ -205,7 +205,7 @@ function menu_enable() {
  * Title callback for the menu overview page and links.
  */
 function menu_overview_title($menu) {
-  return $menu['title'];
+  return check_plain($menu['title']);
 }
 
 /**
diff --git modules/node/node.module modules/node/node.module
index de3e96a..39473c4 100644
--- modules/node/node.module
+++ modules/node/node.module
@@ -1981,7 +1981,7 @@ function node_menu_local_tasks_alter(&$data, $router_item, $root_path) {
  * Title callback for a node type.
  */
 function node_type_page_title($type) {
-  return $type->name;
+  return check_plain($type->name);
 }
 
 /**
diff --git modules/simpletest/tests/menu.test modules/simpletest/tests/menu.test
index d9a8127..2421f4a 100644
--- modules/simpletest/tests/menu.test
+++ modules/simpletest/tests/menu.test
@@ -403,6 +403,13 @@ class MenuRebuildTestCase extends DrupalWebTestCase {
   }
 
   /**
+   * Enable menu_test.module.
+   */
+  public function setUp() {
+    parent::setUp('menu_test');
+  }
+
+  /**
    * Test if the 'menu_rebuild_needed' variable triggers a menu_rebuild() call.
    */
   function testMenuRebuildByVariable() {
@@ -426,6 +433,16 @@ class MenuRebuildTestCase extends DrupalWebTestCase {
     $this->assertEqual($admin_exists, 'admin', t("The menu has been rebuilt, the path 'admin' now exists again."));
   }
 
+  /**
+   * Test title pass through.
+   */
+  function testMenuTitlePassThrough() {
+    $this->drupalGet('menu-test/passthrough');
+    $title = '<span>test</span>';
+    $this->assertRaw($title);
+    $this->assertNoRaw(check_plain($title));
+  }
+
 }
 
 /**
diff --git modules/simpletest/tests/menu_test.module modules/simpletest/tests/menu_test.module
index c9f8766..536c44b 100644
--- modules/simpletest/tests/menu_test.module
+++ modules/simpletest/tests/menu_test.module
@@ -172,7 +172,12 @@ function menu_test_menu() {
     'type' => MENU_LOCAL_TASK,
     'context' => MENU_CONTEXT_NONE,
   );
-
+  $items['menu-test/passthrough'] = array(
+    'title' => '<span>test</span>',
+    'page callback' => 'menu_test_passthrough',
+    'access callback' => TRUE,
+    'type' => MENU_CALLBACK,
+  );
   return $items;
 }
 
@@ -313,3 +318,10 @@ function menu_test_static_variable($value = NULL) {
   }
   return $variable;
 }
+
+/**
+ * Empty menu callback.
+ */
+function menu_test_passthrough() {
+  return '&nbsp;';
+}