Index: wp-includes/default-filters.php
===================================================================
--- wp-includes/default-filters.php	(revision 11905)
+++ wp-includes/default-filters.php	(working copy)
@@ -23,13 +23,21 @@
 	add_filter($filter, '_wp_specialchars', 30);
 }
 
-// Kses only for textarea saves
-$filters = array('pre_term_description', 'pre_link_description', 'pre_link_notes', 'pre_user_description');
+// Strip, kses, special chars for string display
+$filters = array('term_name', 'comment_author_name', 'link_name', 'link_target', 'link_rel', 'user_display_name', 'user_first_name', 'user_last_name', 'user_nickname');
 foreach ( $filters as $filter ) {
+	add_filter($filter, 'strip_tags');
 	add_filter($filter, 'wp_filter_kses');
+	add_filter($filter, '_wp_specialchars', 30);
 }
 
-// Email
+// Kses only for textarea saves and displays
+$filters = array('pre_term_description', 'term_description', 'pre_link_description', 'link_description', 'pre_link_notes', 'link_notes', 'pre_user_description', 'user_description');
+foreach ( $filters as $filter ) {
+	add_filter($filter, 'wp_filter_kses');
+}
+
+// Email saves
 $filters = array('pre_comment_author_email', 'pre_user_email');
 foreach ( $filters as $filter ) {
 	add_filter($filter, 'trim');
@@ -37,6 +45,13 @@
 	add_filter($filter, 'wp_filter_kses');
 }
 
+// Email display
+$filters = array('comment_author_email', 'user_email');
+foreach ( $filters as $filter ) {
+	add_filter($filter, 'sanitize_email');
+	add_filter($filter, 'wp_filter_kses');
+}
+
 // Save URL
 $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_link_image',
 	'pre_link_rss');
Index: wp-includes/registration.php
===================================================================
--- wp-includes/registration.php	(revision 11905)
+++ wp-includes/registration.php	(working copy)
@@ -201,7 +201,7 @@
 	foreach (_wp_get_user_contactmethods() as $method => $name) {
 		if ( empty($$method) )
 			$$method = '';
-		
+
 		update_usermeta( $user_id, $method, $$method );
 	}
 
Index: wp-includes/user.php
===================================================================
--- wp-includes/user.php	(revision 11905)
+++ wp-includes/user.php	(working copy)
@@ -600,4 +600,121 @@
 	wp_cache_add($user->user_nicename, $user->ID, 'userslugs');
 }
 
+/**
+ * Sanitize every user field.
+ *
+ * If the context is 'raw', then the user object or array will get minimal santization of the int fields.
+ *
+ * @since 2.3.0
+ * @uses sanitize_user_field() Used to sanitize the fields.
+ *
+ * @param object|array $user The User Object or Array
+ * @param string $context Optional, default is 'display'. How to sanitize user fields.
+ * @return object|array The now sanitized User Object or Array (will be the same type as $user)
+ */
+function sanitize_user_object($user, $context = 'display') {
+	if ( is_object($user) ) {
+		if ( !isset($user->ID) )
+			$user->ID = 0;
+		if ( isset($user->data) )
+			$vars = get_object_vars( $user->data );
+		else
+			$vars = get_object_vars($user);
+		foreach ( array_keys($vars) as $field ) {
+			if ( is_array($user->$field) )
+				continue;
+			$user->$field = sanitize_user_field($field, $user->$field, $user->ID, $context);
+		}
+		$user->filter = $context;
+	} else {
+		if ( !isset($user['ID']) )
+			$user['ID'] = 0;
+		foreach ( array_keys($user) as $field )
+			$user[$field] = sanitize_user_field($field, $user[$field], $user['ID'], $context);
+		$user['filter'] = $context;
+	}
+
+	return $user;
+}
+
+/**
+ * Sanitize user field based on context.
+ *
+ * Possible context values are:  'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The
+ * 'display' context is used by default. 'attribute' and 'js' contexts are treated like 'display'
+ * when calling filters.
+ *
+ * @since 2.3.0
+ * @uses apply_filters() Calls 'edit_$field' and '${field_no_prefix}_edit_pre' passing $value and
+ *  $user_id if $context == 'edit' and field name prefix == 'user_'.
+ *
+ * @uses apply_filters() Calls 'edit_user_$field' passing $value and $user_id if $context == 'db'.
+ * @uses apply_filters() Calls 'pre_$field' passing $value if $context == 'db' and field name prefix == 'user_'.
+ * @uses apply_filters() Calls '${field}_pre' passing $value if $context == 'db' and field name prefix != 'user_'.
+ *
+ * @uses apply_filters() Calls '$field' passing $value, $user_id and $context if $context == anything
+ *  other than 'raw', 'edit' and 'db' and field name prefix == 'user_'.
+ * @uses apply_filters() Calls 'user_$field' passing $value if $context == anything other than 'raw',
+ *  'edit' and 'db' and field name prefix != 'user_'.
+ *
+ * @param string $field The user Object field name.
+ * @param mixed $value The user Object value.
+ * @param int $user_id user ID.
+ * @param string $context How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display',
+ *               'attribute' and 'js'.
+ * @return mixed Sanitized value.
+ */
+function sanitize_user_field($field, $value, $user_id, $context) {
+	$int_fields = array('ID');
+	if ( in_array($field, $int_fields) )
+		$value = (int) $value;
+
+	if ( 'raw' == $context )
+		return $value;
+
+	if ( is_array($value) )
+		return $value;
+
+	$prefixed = false;
+	if ( false !== strpos($field, 'user_') ) {
+		$prefixed = true;
+		$field_no_prefix = str_replace('user_', '', $field);
+	}
+
+	if ( 'edit' == $context ) {
+		if ( $prefixed ) {
+			$value = apply_filters("edit_$field", $value, $user_id);
+		} else {
+			$value = apply_filters("edit_user_$field", $value, $user_id);
+		}
+
+		if ( 'description' == $field )
+			$value = esc_html($value);
+		else
+			$value = esc_attr($value);
+	} else if ( 'db' == $context ) {
+		if ( $prefixed ) {
+			$value = apply_filters("pre_$field", $value);
+		} else {
+			$value = apply_filters("pre_user_$field", $value);
+		}
+	} else {
+		// Use display filters by default.
+		if ( $prefixed )
+			$value = apply_filters($field, $value, $user_id, $context);
+		else
+			$value = apply_filters("user_$field", $value, $user_id, $context);
+	}
+
+	if ( 'user_url' == $field )
+		$value = esc_url($value);
+
+	if ( 'attribute' == $context )
+		$value = esc_attr($value);
+	else if ( 'js' == $context )
+		$value = esc_js($value);
+
+	return $value;
+}
+
 ?>
Index: wp-includes/capabilities.php
===================================================================
--- wp-includes/capabilities.php	(revision 11905)
+++ wp-includes/capabilities.php	(working copy)
@@ -449,6 +449,15 @@
 	var $last_name = '';
 
 	/**
+	 * The filter context applied to user data fields.
+	 *
+	 * @since 2.9.0
+	 * @access private
+	 * @var string
+	 */
+	var $filter = null;
+
+	/**
 	 * PHP4 Constructor - Sets up the object properties.
 	 *
 	 * Retrieves the userdata and then assigns all of the data keys to direct
Index: wp-admin/users.php
===================================================================
--- wp-admin/users.php	(revision 11905)
+++ wp-admin/users.php	(working copy)
@@ -385,14 +385,6 @@
 </form>
 </div>
 
-<?php
-	foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) {
-		$var = 'new_' . $var;
-		$$var = isset($_REQUEST[$formpost]) ? esc_attr(stripslashes($_REQUEST[$formpost])) : '';
-	}
-	unset($name);
-?>
-
 <br class="clear" />
 <?php
 break;
Index: wp-admin/includes/template.php
===================================================================
--- wp-admin/includes/template.php	(revision 11905)
+++ wp-admin/includes/template.php	(working copy)
@@ -1892,6 +1892,7 @@
 
 	if ( !( is_object( $user_object) && is_a( $user_object, 'WP_User' ) ) )
 		$user_object = new WP_User( (int) $user_object );
+	$user_object = sanitize_user_object($user_object);
 	$email = $user_object->user_email;
 	$url = $user_object->user_url;
 	$short_url = str_replace( 'http://', '', $url );
Index: wp-admin/includes/user.php
===================================================================
--- wp-admin/includes/user.php	(revision 11905)
+++ wp-admin/includes/user.php	(working copy)
@@ -370,21 +370,18 @@
  */
 function get_user_to_edit( $user_id ) {
 	$user = new WP_User( $user_id );
-	$user->user_login   = esc_attr($user->user_login);
-	$user->user_email   = esc_attr($user->user_email);
-	$user->user_url     = esc_url($user->user_url);
-	$user->first_name   = esc_attr($user->first_name);
-	$user->last_name    = esc_attr($user->last_name);
-	$user->display_name = esc_attr($user->display_name);
-	$user->nickname     = esc_attr($user->nickname);
 
 	$user_contactmethods = _wp_get_user_contactmethods();
 	foreach ($user_contactmethods as $method => $name) {
-		$user->{$method} = isset( $user->{$method} ) && !empty( $user->{$method} ) ? esc_attr($user->{$method}) : '';
+		if ( empty( $user->{$method} ) )
+			$user->{$method} = '';
 	}
-	
-	$user->description  = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : '';
 
+	if ( empty($user->description) )
+		$user->description = '';
+
+	$user = sanitize_user_object($user, 'edit');
+
 	return $user;
 }