I just tried to make a comment here on Drupal.org, where I needed to demonstrate something with ' - an apostrophe. So I used <code /> to escape it. Only, it didn't: &#39;. I then tried to do &amp;#39;, but &amp; is being escaped. So it would seem that the filter doesn't escape ampersands in ampersand-hash-foo-semicolon cases. Is there a reason it isn't just always escaped?