Justin C. Klein Keane reported that content_access does not check_plain role names before displaying them on the 'Access Control' screen of managed content types.
We do not consider this a vulnerability because this can only be exploited by users with the "administer permissions" permission. As users with the "administer permissions" can already elevate their permissions via normal means, an XSS attack is just a more complicated way of doing something that is already possible.
It is a bug however; As role names are plaintext, they cannot be passed as-is in HTML. If you do not check_plain rolenames you may end up with invalid HTML or break something (& vs.