Index: includes/bootstrap.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v
retrieving revision 1.289
diff -u -p -r1.289 bootstrap.inc
--- includes/bootstrap.inc	14 Jul 2009 10:22:15 -0000	1.289
+++ includes/bootstrap.inc	18 Jul 2009 19:54:35 -0000
@@ -1024,11 +1024,21 @@ function drupal_unpack($obj, $field = 'd
 /**
  * Encode special characters in a plain-text string for display as HTML.
  *
- * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
- * Internet Explorer 6.
+ * check_plain() also validates strings as UTF-8 to prevent cross site scripting
+ * attacks on Internet Explorer 6. We duplicate the preg_match() from
+ * drupal_validate_utf8() here rather than calling the function to avoid
+ * the overhead of an additional function call, since check_plain() may be
+ * called hundreds of times during a request.
+ *
+ * @param $text
+ *   The text to be checked or processed.
+ * @return
+ *   An HTML safe version of $text, or an empty string if $text is not
+ *   valid UTF-8.
+ * @see drupal_validate_utf8().
  */
 function check_plain($text) {
-  return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+  return (preg_match('/^./us', $text) == 1) ? htmlspecialchars($text, ENT_QUOTES) : '';
 }
 
 /**
@@ -1055,9 +1065,6 @@ function check_plain($text) {
  *   TRUE if the text is valid UTF-8, FALSE if not.
  */
 function drupal_validate_utf8($text) {
-  if (strlen($text) == 0) {
-    return TRUE;
-  }
   // With the PCRE_UTF8 modifier 'u', preg_match() fails silently on strings
   // containing invalid UTF-8 byte sequences. It does not reject character
   // codes above U+10FFFF (represented by 4 or more octets), though.
Index: includes/common.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/common.inc,v
retrieving revision 1.935
diff -u -p -r1.935 common.inc
--- includes/common.inc	15 Jul 2009 17:40:17 -0000	1.935
+++ includes/common.inc	18 Jul 2009 19:54:38 -0000
@@ -1345,8 +1345,11 @@ function filter_xss_admin($string) {
  */
 function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
   // Only operate on valid UTF-8 strings. This is necessary to prevent cross
-  // site scripting issues on Internet Explorer 6.
-  if (!drupal_validate_utf8($string)) {
+  // site scripting issues on Internet Explorer 6. We duplicate the preg_match
+  // from drupal_validate_utf8() to avoid the overhead of an additional
+  // function call.
+  // @see drupal_validate_utf8().
+  if (!preg_match('/^./us', $string) == 1) {
     return '';
   }
   // Store the text format
