According to this comment to my last patch, talkread.bml isn't escaping bml in comment subjects.
This patch does this. (Tested; works.)
I also noticed that userpic alt tags were cleaned for html. This led me to ask myself if they should be cleaned for bml as well. (I ended up doing this.)
On my goathack I put in a picture keyword of '(=H1 blah H1=)'. In editpics.bml, the keyword shows up as '<P><span class="heading">blah</span>' (because html was escaped). In allpics.bml, it came out unescaped.
#1. editpics.bml (tested; works):
#2. allpics.bml (tested; works):
I'm sure there are other places where bml should be escaped (topics? friends groups?). I'll check around later.
Found one more: when editing this entry using editjournal_do.bml, I noticed that the bml wasn't escaped, thus causing unwanted html to end up in the post. (I also escaped bml in friend group names and the picture selector.)
Another (picture related): update.bml?mode=full doesn't escape bml in the picture selector (and friends groups). (Same with editjournal_do.bml. I went back and did this.)
Update: I believe this is driving me insane. "I can't go to bed because I just thought of another place I need to escape bml!" Argh. I'm going to bed anyway.
To-do: friends/editgroups.bml, friends/filter.bml
haha: The patches have the wrong year on them. I'm dumb.