Our MySQLi library has automatic Cross Site Scripting protection. You have to manually disable it in the code when you want it to render html code.
Anywhere you want html code to be rendered you have to update code that looks like this:
$RecordsetName->getColumnVal("ColumnName")
to this:
$RecordsetName->getColumnVal("ColumnName",false)
Adding the false argument at the end tells it to disable the Cross Site Scripting protection and allow html to be rendered on the page.