role_delegation_delegate_roles_action_form() doesn't sanitize the value of the #title attribute in the form. The value is a role name, which is stored unsanitized in the database. It needs to be sanitized for output with check_plain().
The Drupal security team has cleared this bug to be fixed publicly.
Comments
Comment #1
Andrew Schulman CreditAttribution: Andrew Schulman commentedFixed in 7.x-1.1.