Rickard here. Just testing.
As you can see, I am unable to replicate the problem with posting with a username containing a #. I don't know why you have experienced the problem _arse. The only thing that comes to mind is the fact that the you can't load the post form (in post.php and in viewtopic.php) with one user and then in another window login with a different user and try to post the form in the first window. The form is filled with a hidden element form_user that has to match that of the logged in user when the post is actually submitted. Could this be what happened to you?
Regarding HTML entities. The problem is that there is no good way of converting HTML entities to their respective characters. The only solution I know of is building two massive arrays and doing a search and replace on the text. That call to str_replace() will be very time consuming. Especially for longer posts. That is also the reason that no other forum software I know of do it. There are more problems. The reason PunBB doesn't escape the & in posts so that HTML entities can be displayed as the actual entity instead of the character it represents is related to Internet Explorer. If you try to post a piece of text in e.g. Russian to a form that sits on a page with a non-russian character set (e.g. iso-8859-1), IE will convert all the posted characters to HTML entities before posting them. Thus, HTML entities cannot be "allowed" because people wouldn't be able to post e.g. russian in these forums.