diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 116c20377c2d5f9cb343a229ee1846c20f16c571..e995779bcee514d9578b4396b43065fb917a940d 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -150,6 +150,8 @@ Drupal 7.40, 2015-10-14
   against SQL injection (API change: https://www.drupal.org/node/2463973).
 - Fixed a bug in the Drupal 6 to Drupal 7 upgrade path which caused the upgrade
   to fail when there were multiple file records pointing to the same file.
+- Added a a new option to format_xml_elections() to allow for already encoded
+  values.
 - Numerous small bug fixes.
 - Numerous API documentation improvements.
 - Additional automated test coverage.
diff --git a/includes/common.inc b/includes/common.inc
index 717f568d1763934bc468d348d14f650ad2b2d0d6..532a642032fc86d92c545ece1df5b61046ee0096 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1770,9 +1770,15 @@ function format_rss_item($title, $link, $description, $args = array()) {
  *     - 'key': element name
  *     - 'value': element contents
  *     - 'attributes': associative array of element attributes
+ *     - 'encoded': TRUE if 'value' is already encoded
  *
  * In both cases, 'value' can be a simple string, or it can be another array
  * with the same format as $array itself for nesting.
+ *
+ * If 'encoded' is TRUE it is up to the caller to ensure that 'value' is either
+ * entity-encoded or CDATA-escaped. Using this option is not recommended when
+ * working with untrusted user input, since failing to escape the data
+ * correctly has security implications.
  */
 function format_xml_elements($array) {
   $output = '';
@@ -1785,7 +1791,7 @@ function format_xml_elements($array) {
         }
 
         if (isset($value['value']) && $value['value'] != '') {
-          $output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : check_plain($value['value'])) . '</' . $value['key'] . ">\n";
+          $output .= '>' . (is_array($value['value']) ? format_xml_elements($value['value']) : (!empty($value['encoded']) ? $value['value'] : check_plain($value['value']))) . '</' . $value['key'] . ">\n";
         }
         else {
           $output .= " />\n";