Do not escape html in report header and footers on API create
ReportInstance.create escapes the HTML when inserting into the DB (and when retreiving, it seems) but other parts of the UI do not.
civicrm_report_instance.header and civicrm_report_instance.footer both contain HTML that (if I am following https://lab.civicrm.org/dev/core/blob/master/CRM/Utils/API/HTMLInputCoder.php correctly - @colemanw - you touched that file recently) should not be escaped.
Adding 'header' and 'footer' to the list of fields that should not be escaped fixes the issue.
Aside: CRM_Utils_API_HTMLInputCoder::getSkipFields() seems flawed in that it does not specify the entity of the field that is to be ignored. Thankfully in this instance, the CiviCRM DB schema 'header' and 'footer' are only used the civicrm_report_instance but it feels like this class could end up inadvertently not escaping html that should be escaped (and maybe that is a potential security issue?)