Yep has nothing to do with our present code
Your old code when you applied the hack in the old software wrote the information in real HTML format which is not good.
I altered an upgrade script to run htmlspecialchars on your product fields and all is good.
Now do realize I placed the ability for customers to be able to show html in products and reviews as a switch and give a stern warning. Vbulletin does much the same. Do realize you open your system up to security issues when you allow people to upload html and let it display on your site.
However number one requested thing in Reviewpost has always been to be able to display html so hense the ability to have it as a switch. But my warning stays the same