diff --git a/modules/block/block.admin.inc b/modules/block/block.admin.inc
index 3fd8280..fb85bb4 100644
--- a/modules/block/block.admin.inc
+++ b/modules/block/block.admin.inc
@@ -202,11 +202,7 @@ function block_admin_configure(&$form_state, $module = NULL, $delta = 0) {
   while ($role = db_fetch_object($result)) {
     $default_role_options[] = $role->rid;
   }
-  $result = db_query('SELECT rid, name FROM {role} ORDER BY name');
-  $role_options = array();
-  while ($role = db_fetch_object($result)) {
-    $role_options[$role->rid] = $role->name;
-  }
+  $role_options = array_map('check_plain', user_roles());
   $form['role_vis_settings'] = array(
     '#type' => 'fieldset',
     '#title' => t('Role specific visibility settings'),
diff --git a/modules/filter/filter.admin.inc b/modules/filter/filter.admin.inc
index 36f3d67..f556d27 100644
--- a/modules/filter/filter.admin.inc
+++ b/modules/filter/filter.admin.inc
@@ -19,13 +19,17 @@ function filter_admin_overview() {
   $error = FALSE;
 
   foreach ($formats as $id => $format) {
-    $roles = array();
-    foreach (user_roles() as $rid => $name) {
-      // Prepare a roles array with roles that may access the filter.
-      if (strstr($format->roles, ",$rid,")) {
-        $roles[] = $name;
-      }
+    $format_roles = array();
+    $permission = filter_permission_name($format);
+
+    if ($format->format == filter_fallback_format()) {
+      $format_roles = user_roles();
+    } else if (!empty($permission)) {
+      // Do not list any roles if the permission does not exist.
+      $format_roles = user_roles(FALSE, $permission);
     }
+
+    $roles = array_map('check_plain', $format_roles);
     $default = ($id == variable_get('filter_default_format', 1));
     $options[$id] = '';
     $form[$format->name]['id'] = array('#value' => $id);
diff --git a/modules/user/user.admin.inc b/modules/user/user.admin.inc
index eac39df..eb9a14f 100644
--- a/modules/user/user.admin.inc
+++ b/modules/user/user.admin.inc
@@ -175,7 +175,7 @@ function user_admin_account() {
   $destination = drupal_get_destination();
 
   $status = array(t('blocked'), t('active'));
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   $accounts = array();
   while ($account = db_fetch_object($result)) {
     $accounts[$account->uid] = '';
@@ -546,7 +546,7 @@ function user_admin_perm($form_state, $rid = NULL) {
   // Have to build checkboxes here after checkbox arrays are built
   foreach ($role_names as $rid => $name) {
     $form['checkboxes'][$rid] = array('#type' => 'checkboxes', '#options' => $options, '#default_value' => isset($status[$rid]) ? $status[$rid] : array());
-    $form['role_names'][$rid] = array('#value' => $name, '#tree' => TRUE);
+    $form['role_names'][$rid] = array('#value' => check_plain($name), '#tree' => TRUE);
   }
   $form['submit'] = array('#type' => 'submit', '#value' => t('Save permissions'));
 
diff --git a/modules/user/user.module b/modules/user/user.module
index 625a00c..52f53ab 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -1529,7 +1529,7 @@ function user_edit_form(&$form_state, $uid, $edit, $register = FALSE) {
     );
   }
   if (user_access('administer permissions')) {
-    $roles = user_roles(TRUE);
+    $roles = array_map('check_plain', user_roles(TRUE));
 
     // The disabled checkbox subelement for the 'authenticated user' role
     // must be generated separately and added to the checkboxes element,