I was typing a response that involved C++ template syntax in a code block, and discovered when I posted that the < and > symbols (and everything between them) had all been removed. I discovered that you could use escape codes to cause the characters to appear correctly and edited those into my post.
Unfortunately, hitting 'preview post' replaces escaped characters with unescaped characters. Thus, hitting 'preview post' twice in a row will result in two different-looking previews, as the second time the now-unescaped characters will be removed. 'preview post' changing what your post will look like upon submit is most certainly a bug.
Could you just automatically replace symbols like < with their escape sequences upon submit? I think the entire rest of your system would work well enough with just that. And it doesn't do anything a user couldn't do themselves, so it could not possibly be a security issue.