Instead of:
<?php echo($rsMain->getColumnVal("notes")); ?>
use:
<?php echo($rsMain->getColumnVal("notes",false)); ?>
The mySQLi code has automatic HTML Cross Site Scripting Injection protection, that needs to be disabled when you want to allow it to display html.