#316136 by pwolanin, David_Rothstein, coltrane, Heine: Fixed role name not filtered on admin/user/permissions.

2 files changed, 3 insertions, 3 deletions

diff --git a/modules/user/user.admin.inc b/modules/user/user.admin.inc
index ee100630c..7d92b7484 100644
--- a/modules/user/user.admin.inc
+++ b/modules/user/user.admin.inc
@@ -188,7 +188,7 @@ function user_admin_account() {
   $destination = drupal_get_destination();
 
   $status = array(t('blocked'), t('active'));
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   $accounts = array();
   foreach ($result as $account) {
     $users_roles = array();
@@ -705,7 +705,7 @@ function user_admin_permissions($form, $form_state, $rid = NULL) {
   // Have to build checkboxes here after checkbox arrays are built
   foreach ($role_names as $rid => $name) {
     $form['checkboxes'][$rid] = array('#type' => 'checkboxes', '#options' => $options, '#default_value' => isset($status[$rid]) ? $status[$rid] : array());
-    $form['role_names'][$rid] = array('#markup' => $name, '#tree' => TRUE);
+    $form['role_names'][$rid] = array('#markup' => check_plain($name), '#tree' => TRUE);
   }
 
   $form['actions'] = array('#type' => 'container', '#attributes' => array('class' => array('form-actions')));
diff --git a/modules/user/user.module b/modules/user/user.module
index 2d23929bd..063704054 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -975,7 +975,7 @@ function user_account_form(&$form, &$form_state) {
     '#access' => $admin,
   );
 
-  $roles = user_roles(TRUE);
+  $roles = array_map('check_plain', user_roles(TRUE));
   // The disabled checkbox subelement for the 'authenticated user' role
   // must be generated separately and added to the checkboxes element,
   // because of a limitation in Form API not supporting a single disabled