Diff view does not escape HTML entities (BB-3344)
HTML entities present in code/source shown in the diff view does not escape HTML entities. They are presented as-is. It may be possible for other HTML constructs to pass by as-is also.
This is in contrast to the source code view, which does properly escape such entities.