in reply to How to test all TT2 tags are escaped.

IMHO the proper solution isn't (or at least not only) rigorous testing, but escaping by default. I've asked about that in the past, Re: HTML::Template vs. Template::Toolkit vs. ?? (esp. the reference to Template::Stash::HTML::Entities and default_escape for Template::Toolkit? might be relevant.

If none of those solutions work well, I'd consider it sufficient reason not to use TT2, and switch to a template system that supports default escaping.