Brad,
  you statement of legal requirements are quite simply a broad
overstatement.  If it was, you would be required NOW to deal
with the % hack, since you have admitted its not a standard,
and could be used to abuse your system.  In fact, your admission
of such could be used in litigation against AOL by its users.
  Secondly, if it is in fact you are required to pursue ALL technical
avenues, I think the information Eric has shown, and his offer of his
company as a consultant/service provider makes him a legitimate
solution, and AOL would be required to contract with them to do
something.  That's the best news I've had all day.