Something somewhere is running an htmlspecialchars() or equivalent on whatever you input, probably as an attempt at “sanitizing” the text entered in titles/posts/comments. You know, to keep me from just inserting a javascript tag with src=‘pwned.ru/fu.js’ into a comment and have it to something naughty to anyone who loads the page.
I’m certain these are being stored in the database as an & amp;, but they’re not being decoded back into an ampersand character upon display.