Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.393
diff -u -p -r1.393 bootstrap.inc
--- includes/bootstrap.inc	26 May 2010 07:52:12 -0000	1.393
+++ includes/bootstrap.inc	26 May 2010 21:52:56 -0000
@@ -1712,7 +1712,7 @@ function drupal_get_title() {
 
   // During a bootstrap, menu.inc is not included and thus we cannot provide a title.
   if (!isset($title) && function_exists('menu_get_active_title')) {
-    $title = check_plain(menu_get_active_title());
+    $title = menu_get_active_title();
   }
 
   return $title;
Index: includes/menu.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/menu.inc,v
retrieving revision 1.393
diff -u -p -r1.393 menu.inc
--- includes/menu.inc	26 May 2010 07:52:12 -0000	1.393
+++ includes/menu.inc	26 May 2010 21:53:01 -0000
@@ -650,11 +650,10 @@ function _menu_item_localize(&$item, $ma
       else {
         $item['title'] = call_user_func_array($callback, menu_unserialize($item['title_arguments'], $map));
       }
-      // Avoid calling check_plain again on l() function.
-      if ($callback == 'check_plain') {
-        $item['localized_options']['html'] = TRUE;
-      }
     }
+    // Avoid calling check_plain again on l() function.  All title callbacks
+    // must return sanitized strings.
+    $item['localized_options']['html'] = TRUE;
   }
   elseif ($link_translate) {
     $item['title'] = $item['link_title'];
@@ -2193,7 +2192,9 @@ function menu_get_active_title() {
 
   foreach (array_reverse($active_trail) as $item) {
     if (!(bool) ($item['type'] & MENU_IS_LOCAL_TASK)) {
-      return $item['title'];
+      // Text that is user-entered or not passed through a title callback
+      // will not have html set to TRUE.
+      return empty($item['localized_options']['html']) ? check_plain($item['title']) : $item['title'];
     }
   }
 }
Index: modules/aggregator/aggregator.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/aggregator/aggregator.module,v
retrieving revision 1.439
diff -u -p -r1.439 aggregator.module
--- modules/aggregator/aggregator.module	1 May 2010 08:12:22 -0000	1.439
+++ modules/aggregator/aggregator.module	26 May 2010 21:53:01 -0000
@@ -279,7 +279,7 @@ function aggregator_menu() {
  *   An aggregator category title.
  */
 function _aggregator_category_title($category) {
-  return $category['title'];
+  return check_plain($category['title']);
 }
 
 /**
Index: modules/dblog/dblog.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/dblog/dblog.test,v
retrieving revision 1.36
diff -u -p -r1.36 dblog.test
--- modules/dblog/dblog.test	27 Mar 2010 14:24:14 -0000	1.36
+++ modules/dblog/dblog.test	26 May 2010 21:53:02 -0000
@@ -119,7 +119,7 @@ class DBLogTestCase extends DrupalWebTes
    * @param integer $response HTTP response code.
    */
   private function verifyReports($response = 200) {
-    $quote = '&#039;';
+    $quote = "'";
 
     // View dblog help node.
     $this->drupalGet('admin/help/dblog');
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.332
diff -u -p -r1.332 filter.module
--- modules/filter/filter.module	26 May 2010 10:54:30 -0000	1.332
+++ modules/filter/filter.module	26 May 2010 21:53:03 -0000
@@ -281,7 +281,7 @@ function filter_format_delete($format) {
  * Display a text format form title.
  */
 function filter_admin_format_title($format) {
-  return $format->name;
+  return check_plain($format->name);
 }
 
 /**
Index: modules/menu/menu.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/menu/menu.module,v
retrieving revision 1.229
diff -u -p -r1.229 menu.module
--- modules/menu/menu.module	7 Mar 2010 07:55:14 -0000	1.229
+++ modules/menu/menu.module	26 May 2010 21:53:03 -0000
@@ -205,7 +205,7 @@ function menu_enable() {
  * Title callback for the menu overview page and links.
  */
 function menu_overview_title($menu) {
-  return $menu['title'];
+  return check_plain($menu['title']);
 }
 
 /**
Index: modules/node/node.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/node/node.module,v
retrieving revision 1.1275
diff -u -p -r1.1275 node.module
--- modules/node/node.module	26 May 2010 07:52:12 -0000	1.1275
+++ modules/node/node.module	26 May 2010 21:53:04 -0000
@@ -1973,7 +1973,7 @@ function node_menu_local_tasks_alter(&$d
  * Title callback for a node type.
  */
 function node_type_page_title($type) {
-  return $type->name;
+  return check_plain($type->name);
 }
 
 /**
Index: modules/simpletest/tests/menu.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/menu.test,v
retrieving revision 1.29
diff -u -p -r1.29 menu.test
--- modules/simpletest/tests/menu.test	26 Apr 2010 14:06:23 -0000	1.29
+++ modules/simpletest/tests/menu.test	26 May 2010 21:53:05 -0000
@@ -412,6 +412,13 @@ class MenuRebuildTestCase extends Drupal
   }
 
   /**
+   * Enable menu_test.module.
+   */
+  public function setUp() {
+    parent::setUp('menu_test');
+  }
+
+  /**
    * Test if the 'menu_rebuild_needed' variable triggers a menu_rebuild() call.
    */
   function testMenuRebuildByVariable() {
@@ -435,6 +442,16 @@ class MenuRebuildTestCase extends Drupal
     $this->assertEqual($admin_exists, 'admin', t("The menu has been rebuilt, the path 'admin' now exists again."));
   }
 
+  /**
+   * Test title pass through.
+   */
+  function testMenuTitlePassThrough() {
+    $this->drupalGet('menu-test/passthrough');
+    $title = '<span>test</span>';
+    $this->assertRaw($title);
+    $this->assertNoRaw(check_plain($title));
+  }
+
 }
 
 /**
Index: modules/simpletest/tests/menu_test.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/menu_test.module,v
retrieving revision 1.14
diff -u -p -r1.14 menu_test.module
--- modules/simpletest/tests/menu_test.module	26 Apr 2010 14:06:23 -0000	1.14
+++ modules/simpletest/tests/menu_test.module	26 May 2010 21:53:05 -0000
@@ -188,7 +188,12 @@ function menu_test_menu() {
     'access arguments' => array('access content'),
     'type' => MENU_LOCAL_TASK,
   );
-
+  $items['menu-test/passthrough'] = array(
+    'title' => '<span>test</span>',
+    'page callback' => 'menu_test_passthrough',
+    'access callback' => TRUE,
+    'type' => MENU_CALLBACK,
+  );
   return $items;
 }
 
@@ -329,3 +334,10 @@ function menu_test_static_variable($valu
   }
   return $variable;
 }
+
+/**
+ * Empty menu callback.
+ */
+function menu_test_passthrough() {
+  return '&nbsp;';
+}
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.1172
diff -u -p -r1.1172 user.module
--- modules/user/user.module	26 May 2010 07:52:13 -0000	1.1172
+++ modules/user/user.module	26 May 2010 21:53:07 -0000
@@ -1813,7 +1813,7 @@ function user_page_title($uid) {
   else {
     $account = user_load($uid);
   }
-  return is_object($account) ? format_username($account) : '';
+  return is_object($account) ? check_plain(format_username($account)) : '';
 }
 
 /**