Index: wp-includes/default-filters.php
===================================================================
--- wp-includes/default-filters.php	(revision 12053)
+++ wp-includes/default-filters.php	(working copy)
@@ -151,6 +151,7 @@
 add_filter( 'comment_email',        'antispambot'                         );
 add_filter( 'option_tag_base',      '_wp_filter_taxonomy_base'            );
 add_filter( 'option_category_base', '_wp_filter_taxonomy_base'            );
+add_filter( 'the_posts',            '_sanitize_the_posts'                 );
 add_filter( 'the_posts',            '_close_comments_for_old_posts'       );
 add_filter( 'comments_open',        '_close_comments_for_old_post', 10, 2 );
 add_filter( 'pings_open',           '_close_comments_for_old_post', 10, 2 );
Index: wp-includes/post.php
===================================================================
--- wp-includes/post.php	(revision 12053)
+++ wp-includes/post.php	(working copy)
@@ -232,8 +232,8 @@
 			return $null;
 	} elseif ( is_object($post) && empty($post->filter) ) {
 		_get_post_ancestors($post);
-		wp_cache_add($post->ID, $post, 'posts');
-		$_post = &$post;
+		$_post = sanitize_post($post, 'raw');
+		wp_cache_add($post->ID, $_post, 'posts');
 	} else {
 		if ( is_object($post) )
 			$post = $post->ID;
@@ -243,11 +243,13 @@
 			if ( ! $_post )
 				return $null;
 			_get_post_ancestors($_post);
+			$_post = sanitize_post($_post, 'raw');
 			wp_cache_add($_post->ID, $_post, 'posts');
 		}
 	}
 
-	$_post = sanitize_post($_post, $filter);
+	if ($filter != 'raw')
+		$_post = sanitize_post($_post, $filter);
 
 	if ( $output == OBJECT ) {
 		return $_post;
@@ -834,6 +836,27 @@
 }
 
 /**
+ * Sanitize (filter 'raw') all posts returned in wp_query, once.  Hooked to the_posts.
+ *
+ * @access private
+ * @since 2.9.0
+ *
+ * @param array $posts Array of post data objects.
+ * @return array Sanitized posts objects
+ */
+function _sanitize_the_posts( $posts ) {
+	if ( empty($posts) )
+		return $posts;
+
+	$num_posts = count($posts);
+	for ($i = 0; $i < $num_posts; $i++) {
+		$posts[$i] = sanitize_post($posts[$i], 'raw');
+	}
+
+	return $posts;
+}
+
+/**
  * Sanitize post field based on context.
  *
  * Possible context values are:  'raw', 'edit', 'db', 'display', 'attribute' and 'js'. The