Unfortunately your advice doesn't work.
There's definitely something wrong with the format_text function because when I commented it completely and put this instead:
function format_text($text, $html = 0, $word_wrap = 0, $bbcode = 0, $bbcode_img = 0)
{ return htmlspecialchars($text); }
everything was fine. But I'm not sure if this workaround is safe.