I haven't noticed that & I check quite a lot. I guess I need to take more time & check more. Anyway, this sounds like a bug. Maybe you should go & report it on Github & let me know when you get back.
That was a bug in a lemmy 0.18.X, where it introduced sanitation against XSS. After XSS attack had happened. Which was introduced with the custom smiley feature, which allowed arbitary js to be executed on every client.
Which then was removed in 0.19. When I had discussion with the Lemmy devs that this responsibility lays on the clients to properly santize this. (Display text as text, fault layed in Lemmy UI)