This is caused by our Utill function which set the htmlspecialchars flag to not double encode by default.
So although those characters are being saved as show meaning if you enter " ; that's what is saved in the DB, however to actually display it that way you need to do a & ;quot ; junk.
So to fix,
1) could enable double encode by default, but that gets ugly in some cases.
2) Just double encode in the preview and post areas, so in post.controller do
$form_message = Util::htmlspecialchars($_REQUEST['message'], ENT_QUOTES, 'UTF-8', true);
and
$_POST['message'] = Util::htmlspecialchars($_POST['message'], ENT_QUOTES, 'UTF-8', true);
3) Just do it for code blocks? Is there a reason to display it as the entity outside of a code block?