So is the method in place right now incorrect?
When you have text that is supposed to be “plain text,” it must be encoded as html entities by the time it gets to the page.
Say you had a post titled “All About The <H1>Headings</H1>”. If you use htmlentities, it will look like this:
All About The & lt;H1& gt;Headings& lt;/H1& gt;
But when viewed in the browser it will look like plain text. If you decode that, then when it gets to the browser, it will look like this:
All About The
This is exactly what XSS attacks are about: confusing what is supposed to be data (content) with what is supposed to be instructions (HTML markup).