I've found XSS at processing BB codes.
Vulnerable tag is "[url]"
As the decision I have made compulsory replacement & on & in function format_comment
before call htmlspecialchars_uni.
Incidentally, anybody knows why htmlspecialchars_uni passes &#digit; ?
sorry for my english, prompt :)