Critical Update - Generate correctly escaped markup

There are only a few situations where the markup wasn't getting escaped properly earlier. As you can see from your test, the down the middle test worked before and after.

Here is a test case for when the markup wasn't getting escaped and it should have:

[Apex Class] MyController

global class MyController { 
    public String getProperty() {
        return  '<h1> escape me </h1>';
    }
}

[Visualforce Page] MyPage

<apex:page controller="MyController" showheader="false"> 
  <script />
  <apex:outputText escape="true" value="{!property}"/> 
</apex:page>

I think I found the answer for this buried on page 197 of the Winter13 release notes:

Changes to Escaping Behavior

Prior to the Winter ’13 release, text in some Visualforce pages and components might have been generated incorrectly. This markup could contain fragments that should have been escaped (for example, the "<" character generated as "<") but were not. These fragments might be interpreted by the browser as markup rather than as text in the page. This problem has been corrected for all pages with API version 26.0 or later.

Your organization might contain pages or components that depend on this incorrect processing. These pages need to be fixed. To fix them, use with the attribute escape="false" to generate unescaped text.

For existing organizations, the Critical Updates page shows a pending change. When you have corrected any pages or components that depend on the incorrect behavior, activate the change on the Critical Updates page. You must make this change by the date indicated on the Critical Updates page. See “Critical Updates Overview” in the online help for details about managing critical updates.

If your organization contains pages or components with the problem installed from managed packages, you might need to contact the package’s supplier to obtain a newer, corrected, version.