The decodeBB did not escape <>, keep this functionality.

libraries/Message.class.php

@@ -654,7 +654,7 @@ class PMA_Message
      */
     static public function decodeBB($message)
     {
-        return PMA_sanitize($message, false);
+        return PMA_sanitize($message, false, true);
     }
 
     /**

libraries/sanitizing.lib.php

@@ -27,11 +27,12 @@
  *
  * @access  public
  */
-function PMA_sanitize($message, $escape = false)
+function PMA_sanitize($message, $escape = false, $safe = false)
 {
+    if (!$safe) {
+        $message = strtr($message, array('<' => '&lt;', '>' => '&gt;'));
+    }
     $replace_pairs = array(
-        '<'         => '&lt;',
-        '>'         => '&gt;',
         '[i]'       => '<em>',      // deprecated by em
         '[/i]'      => '</em>',     // deprecated by em
         '[em]'      => '<em>',