Index: wp-admin/includes/user.php
===================================================================
--- wp-admin/includes/user.php	(revision 23596)
+++ wp-admin/includes/user.php	(working copy)
@@ -44,9 +44,9 @@
 
 	$pass1 = $pass2 = '';
 	if ( isset( $_POST['pass1'] ))
-		$pass1 = $_POST['pass1'];
+		$pass1 = wp_unslash( $_POST['pass1'] );
 	if ( isset( $_POST['pass2'] ))
-		$pass2 = $_POST['pass2'];
+		$pass2 = wp_unslash( $_POST['pass2'] );
 
 	if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
 		$new_role = sanitize_text_field( $_POST['role'] );
@@ -106,10 +106,10 @@
 
 	/* checking that username has been typed */
 	if ( $user->user_login == '' )
-		$errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ));
+		$errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ) );
 
 	/* checking the password has been typed twice */
-	do_action_ref_array( 'check_passwords', array ( $user->user_login, & $pass1, & $pass2 ));
+	do_action_ref_array( 'check_passwords', array( $user->user_login, &$pass1, &$pass2 ) );
 
 	if ( $update ) {
 		if ( empty($pass1) && !empty($pass2) )
@@ -150,7 +150,7 @@
 	}
 
 	// Allow plugins to return their own errors.
-	do_action_ref_array('user_profile_update_errors', array ( &$errors, $update, &$user ) );
+	do_action_ref_array( 'user_profile_update_errors', array( &$errors, $update, &$user ) );
 
 	if ( $errors->get_error_codes() )
 		return $errors;
@@ -159,7 +159,7 @@
 		$user_id = wp_update_user( $user );
 	} else {
 		$user_id = wp_insert_user( $user );
-		wp_new_user_notification( $user_id, isset($_POST['send_password']) ? $pass1 : '' );
+		wp_new_user_notification( $user_id, isset( $_POST['send_password'] ) ? $pass1 : '' );
 	}
 	return $user_id;
 }