I would guess that the user HTML code is not being escaped and unescaped correctly when it is being stored. Are you storing it in a database and if so are you handing the strings correctly with addslashes() or mysql_real_escape_string() before storing and then unescaping them afterwards before echoing them out? Or are you sending them as a get variable and then not using urldecode()?
It looks like a combination of both has happened – i.e. that result looks like it has first been escaped and then url encoded