The MySQLi recordset has built in Cross Site Scripting protection that encodes html to prevent malicious code from being entered. It can be bypassed by adding the "false" argument to the getColumnVal() method call.
On the page referenced, if you update line 165 from:
$CKEditor_initialValue = "".$WADAcustomer_notes->getColumnVal('cNotes') ."";
to:
$CKEditor_initialValue = "".$WADAcustomer_notes->getColumnVal('cNotes',false) ."";
it will solve this issue.
You may want to do a site-wide search for:
$CKEditor_initialValue =
and correct this on any update page that uses an html editor.