Index: modules/block/block.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.admin.inc,v
retrieving revision 1.75
diff -u -p -r1.75 block.admin.inc
--- modules/block/block.admin.inc	9 Mar 2010 12:09:52 -0000	1.75
+++ modules/block/block.admin.inc	21 Mar 2010 20:14:37 -0000
@@ -313,7 +313,7 @@ function block_admin_configure($form, &$
     ':module' => $block->module,
     ':delta' => $block->delta,
   ))->fetchCol();
-  $role_options = db_query('SELECT rid, name FROM {role} ORDER BY name')->fetchAllKeyed();
+  $role_options = array_map('check_plain', db_query('SELECT rid, name FROM {role} ORDER BY name')->fetchAllKeyed());
   $form['visibility']['role'] = array(
     '#type' => 'fieldset',
     '#title' => t('Roles'),
Index: modules/filter/filter.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.admin.inc,v
retrieving revision 1.58
diff -u -p -r1.58 filter.admin.inc
--- modules/filter/filter.admin.inc	6 Mar 2010 19:40:21 -0000	1.58
+++ modules/filter/filter.admin.inc	21 Mar 2010 20:14:37 -0000
@@ -28,7 +28,7 @@ function filter_admin_overview($form) {
     }
     else {
       $form['formats'][$id]['name'] = array('#markup' => check_plain($format->name));
-      $roles = filter_get_roles_by_format($format);
+      $roles = array_map('check_plain', filter_get_roles_by_format($format));
       $roles_markup = $roles ? implode(', ', $roles) : t('No roles may use this format');
     }
     $form['formats'][$id]['roles'] = array('#markup' => $roles_markup);
@@ -123,7 +123,7 @@ function filter_admin_format_form($form,
   $form['roles'] = array(
     '#type' => 'checkboxes',
     '#title' => t('Roles'),
-    '#options' => user_roles(),
+    '#options' => array_map('check_plain', user_roles()),
     '#disabled' => $is_fallback,
   );
   if ($is_fallback) {
Index: modules/user/user.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.admin.inc,v
retrieving revision 1.101
diff -u -p -r1.101 user.admin.inc
--- modules/user/user.admin.inc	7 Mar 2010 06:49:10 -0000	1.101
+++ modules/user/user.admin.inc	21 Mar 2010 20:14:37 -0000
@@ -188,7 +188,7 @@ function user_admin_account() {
   $destination = drupal_get_destination();
 
   $status = array(t('blocked'), t('active'));
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   $accounts = array();
   foreach ($result as $account) {
     $users_roles = array();
@@ -699,7 +699,7 @@ function user_admin_permissions($form, $
   // Have to build checkboxes here after checkbox arrays are built
   foreach ($role_names as $rid => $name) {
     $form['checkboxes'][$rid] = array('#type' => 'checkboxes', '#options' => $options, '#default_value' => isset($status[$rid]) ? $status[$rid] : array());
-    $form['role_names'][$rid] = array('#markup' => $name, '#tree' => TRUE);
+    $form['role_names'][$rid] = array('#markup' => check_plain($name), '#tree' => TRUE);
   }
 
   $form['actions'] = array('#type' => 'container', '#attributes' => array('class' => array('form-actions')));
@@ -867,10 +867,10 @@ function theme_user_admin_new_role($vari
   foreach (user_roles() as $rid => $name) {
     $edit_permissions = l(t('edit permissions'), 'admin/people/permissions/' . $rid);
     if (in_array($rid, array(DRUPAL_ANONYMOUS_RID, DRUPAL_AUTHENTICATED_RID))) {
-      $rows[] = array(t('!name %locked', array('!name' => $name, '%locked' => t('(locked)'))), '', $edit_permissions);
+      $rows[] = array(t('@name %locked', array('@name' => $name, '%locked' => t('(locked)'))), '', $edit_permissions);
     }
     else {
-      $rows[] = array($name, l(t('edit role'), 'admin/people/permissions/roles/edit/' . $rid), $edit_permissions);
+      $rows[] = array(check_plain($name), l(t('edit role'), 'admin/people/permissions/roles/edit/' . $rid), $edit_permissions);
     }
   }
   $rows[] = array(array('data' => drupal_render($form['name']) . drupal_render($form['submit']), 'colspan' => 3, 'class' => 'edit-name'));
Index: modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.1139
diff -u -p -r1.1139 user.module
--- modules/user/user.module	20 Mar 2010 19:06:12 -0000	1.1139
+++ modules/user/user.module	21 Mar 2010 20:14:38 -0000
@@ -975,7 +975,7 @@ function user_account_form(&$form, &$for
     '#access' => $admin,
   );
 
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   // The disabled checkbox subelement for the 'authenticated user' role
   // must be generated separately and added to the checkboxes element,
   // because of a limitation in Form API not supporting a single disabled